Summary
-
Shai Hulud v2 infected over 500 npm packages (over 700 versions) and infiltrated Java/Maven – yup.
-
Compromised packages launch a pre-installed loader that loads Bun and silently executes an obfuscated 10MB payload.
-
The payload retrieves environment variables (GITHUB_TOKEN, NPM_TOKEN, AWS keys), scans secrets; C2 is self-healing via GitHub.
Attacks on npm in the supply chain are not uncommon these days. It took a couple of months, but we are back with another attack that affected over 500 packets. Yes.
A sophisticated supply chain attack campaign dubbed “Shai Hulud v2” has compromised hundreds of packages in the npm ecosystem and has now spread to Java/Maven artifacts. The attack has already affected more than 500 packages and 700 versions, penetrating software from major vendors including Zapier, Postman, PostHog, AsyncAPI and ENS Domains.
To the best of our knowledge, the infection vector is based on a two-stage loader designed to evade detection. Compromised packages contain a pre-installation script in the package.json file that runs a file called setup_bun.js. This script acts as a hidden bootloader that automatically detects the operating system and architecture of the host. It then finds or downloads the Bun runtime—a fast JavaScript runtime—and executes a heavy, obfuscated 10MB payload called Bun_environment.js. This process suppresses all standard output and error logs, so malicious background processes go undetected during package installation.
It should be noted that the problem seems to extend to the Maven ecosystem. Researchers noticed that a malicious payload was present in org.mvnpm:posthog-node, a Maven artifact automatically generated from npm packages. This confirms that automatically connecting software ecosystems can inadvertently eliminate security vulnerabilities, effectively allowing JavaScript-based malware to contaminate Java environments. Yes.
The malware uses the fault-tolerant “self-healing” C2 infrastructure. Once executed, it searches the public GitHub repositories for a specific signal phrase: “Sha1-Hulud: The Second Coming.” If detected, the malware retrieves a hidden triple Base64 encoded GitHub access token from the repository. This token is then used as the main credentials for data theft. This allows attackers to simply “restart” the campaign by creating new repositories if previous ones are deleted, so it is actually quite resistant to deletion attempts.
The main goal of the malware appears to be mass credential theft. It captures all environment variables including GITHUB_TOKEN, NPM_TOKEN and AWS_ACCESS_KEY_ID. Additionally, it downloads and runs the TruffleHog security tool to aggressively scan the entire file system for hard-coded secrets.
If you want to know more about the intricacies of this problem, this report goes pretty deep.
Source: Socket
