Shai Hulud: NPM Worm Supply Chain Data Theft

SupplyChainAttacknpmSecurityOpenSourceVulnerabilityShai-Hulud

A malware campaign known as Shai Hulud compromised dozens of npm packages. After installing, malicious versions harvest credentials, expose secrets, and spread via npm GitHub tokens.

Indicators of Compromise

webhook.siteSOCRadar2025-09-18

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1195-Supply Chain Compromise

Data Source

Data Component

Detects

DS0022

File

File Metadata

Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity.

((sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=15) OR (sourcetype="WinEventLog:Security" EventCode=4663)) OR (source="/var/log/audit/audit.log" SYSCALL="open" path IN ("/bin", "/usr/bin", "/etc"))| eval risk_score=case( like(path, "%system32%"), 7, like(path, "%/usr/local/bin%"), 6, like(path, "%Program Files%"), 5)| where risk_score >= 5| stats count by host, user, path, process, risk_score| table _time, host, user, path, process, risk_score

DS0013

Sensor Health

Host Status

Perform physical inspection of hardware to look for potential tampering. Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes and compare against known good baseline behavior.

(EventCode=7045 OR EventCode=1116)OR (source="/var/log/system.log" message="Blocked binary execution")| eval risk_score=case( like(Image, "%Temp%"), 7, like(Image, "%AppData%"), 6, like(Image, "%C:\Users\Public%"), 8)| where risk_score >= 6| stats count by host, user, Image, CommandLine, risk_score| table _time, host, user, Image, CommandLine, risk_score

T1195.001-Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Data Source

Data Component

Detects

DS0022

File

File Metadata

(EventCode=15 OR EventCode=4663) OR (source="/var/log/audit/audit.log" SYSCALL="open" path IN ("/usr/bin/gcc", "/usr/bin/make", "/usr/local/bin/node", "/opt/build-tools/"))| eval risk_score=case( like(path, "%npm%"), 7, like(path, "%python%"), 6, like(path, "%gcc%"), 6, like(path, "%make%"), 5)| where risk_score >= 5| stats count by host, user, path, process, risk_score| table _time, host, user, path, process, risk_score

T1528-Steal Application Access Token

Data Source

Data Component

Detects

DS0026

Active Directory

Active Directory Object Modification

Monitor M365 Audit logs for the Operations Add app role assignment grant to user and/or Consent to application occurring against AzureActiveDirectory Workloads.

Analytic 1 - Unusual app role assignments or consents to applications.

index=security sourcetype="WinEventLog:Security" EventCode=5136 OR (index=azuread sourcetype="azure:activity" operationName="Add member to role" OR operationName="Update application" OR operationName="Update servicePrincipal") OR(index=gsuite sourcetype="gsuite:admin" event_type="UPDATE_GROUP" OR event_type="UPDATE_USER") OR(index=o365 sourcetype="o365:management:activity" operation IN ("Add member to role", "Update user", "Update group"))

DS0002

User Account

User Account Modification

Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a "High severity app permissions" policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.

Security analysts can hunt for malicious apps using the tools available in their CASB, identity provider, or resource provider (depending on platform.) For example, they can filter for apps that are authorized by a small number of users, apps requesting high risk permissions, permissions incongruous with the app’s purpose, or apps with old "Last authorized" fields. A specific app can be investigated using an activity log displaying activities the app has performed, although some activities may be mis-logged as being performed by the user. App stores can be useful resources to further investigate suspicious apps.

Administrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.

Analytic 1 - Unauthorized app permissions or unusual activity patterns in app logs.

(index=security sourcetype="WinEventLog:Security" EventCode=4720 OR EventCode=4722 OR EventCode=4738) OR(index=azuread sourcetype="azure:activity" operationName IN ("Add member to role", "Update user", "Update group")) OR(index=gsuite sourcetype="gsuite:admin" event_type IN ("UPDATE_USER", "ADD_USER_TO_GROUP")) OR(index=o365 sourcetype="o365:management:activity" operation IN ("Add member to role", "Update user", "Update group"))

T1566 - Phishing (Initial Access)

ID	Data Source	Data Component	Detects
DS0015	Application Log	Application Log Content	Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[20][21] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events. Analytic 1 - Detecting Malicious Phishing Emails (source="o365_message_trace" OR source="gmail_security_logs" OR source="/var/log/maillog")\| search ("dkim=fail" OR "spf=fail" OR "dmarc=fail" OR "suspicious attachment")\| eval risk_score=case( like(subject, "%password reset%"), 8, like(subject, "%urgent action required%"), 7, like(subject, "%invoice%"), 6)\| where risk_score >= 6\| stats count by _time, src_email, dest_email, subject, attachment_name, risk_score
DS0022	File	File Creation	Monitor for creation of suspicious email attachments in download directories, execution of phishing attachments (e.g., .docm, .lnk, .hta, .vbs), or files extracted from .zip, .rar, .iso containers that execute scripts. Analytic 1 - Detecting Malicious File Creation from Phishing Emails (EventCode=11 OR EventCode=1116)OR (source="/var/log/audit/audit.log" SYSCALL="open" path IN ("/home/user/Downloads", "C:\Users\Public\Downloads"))\| eval risk_score=case( like(path, "%.vbs"), 8, like(path, "%.lnk"), 7, like(path, "%.exe"), 6)\| where risk_score >= 6\| stats count by _time, host, path, user, risk_score
DS0029	Network Traffic	Network Traffic Content	Monitor for clicking on malicious links leading to credential phishing, traffic to newly registered or suspicious domains, malicious redirect chains embedded in emails, or downloading of executables from phishing sites. Analytic 1 - Detecting Phishing Link Clicks in Emails (EventCode=3)OR (source="zeek_http_logs" uri IN (malicious_url_list))OR (source="proxy_logs" url IN (malicious_url_list))\| eval risk_score=case( domain IN ("bit.ly", "tinyurl.com"), 8, domain IN (".xyz", ".top"), 7, uri IN (malicious_url_list), 9)\| where risk_score >= 7\| stats count by _time, host, user, uri, domain, risk_score
		Network Traffic Flow	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analytic 1 - Detecting Malicious Network Traffic Post-Phishing Execution (EventCode=3)OR (source="zeek_conn.log" dest_ip IN (malicious_ip_list))OR (source="proxy_logs" url IN (malicious_url_list))\| eval risk_score=case( dest_ip IN (malicious_ip_list), 9, dest_port IN (4444, 1337, 8080), 8, user_agent LIKE "%curl%", 7)\| where risk_score >= 7\| stats count by _time, host, user, dest_ip, dest_port, risk_score

T1041-Exfiltration Over C2 Channel

ID	Data Source	Data Component	Detects
DS0017	Command	Command Execution	Monitor executed commands and arguments that may steal data by exfiltrating it over an existing command and control channel. Analytic 1 - Detecting C2 Tool Execution Related to Exfiltration (EventCode=1 OR source="/var/log/audit/audit.log" type="execve")\| where (command IN ("powershell -enc", "python -c", "curl -d", "wget --post-file", "certutil -encode", "base64 -w 0"))\| eval risk_score=case( command IN ("powershell -enc", "certutil -encode"), 9, command IN ("python -c", "curl -d"), 8)\| where risk_score >= 8\| stats count by _time, host, user, command, risk_score
DS0022	File	File Access	Monitor for suspicious files (i.e. .pdf, .docx, .jpg, etc.) viewed in isolation that may steal data by exfiltrating it over an existing command and control channel. Analytic 1 - Detecting File Access Before C2 Exfiltration (EventCode=11 OR EventCode=4663 OR source="/var/log/audit/audit.log" type="open")\| where (file_path IN ("/tmp/", "/var/tmp/", "/home//Downloads/", "C:\Users\\Documents\exfil"))\| eval risk_score=case( file_path IN ("/tmp/", "/var/tmp/"), 9, file_path IN ("/home//Downloads/*"), 8)\| where risk_score >= 8\| stats count by _time, host, user, file_path, risk_score
DS0029	Network Traffic	Network Connection Creation	Monitor for newly constructed network connections that are sent or received by untrusted hosts. Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on TCP network connection creation. Analytic 1 - Detecting Outbound Network Connections for C2 Exfiltration (EventCode=3 OR source="zeek_conn.log" OR source="firewall_logs")\| where (bytes_out > 1000000 AND bytes_out > bytes_in * 5) // High outbound traffic\| bucket span=1h _time\| stats count by _time, host, process, dest_ip, bytes_out\| where count > 5\| stats count by host, dest_ip, count, earliest(_time), latest(_time)\| where count >= 5\| eval risk_score=case( count >= 10, 9, count >= 5, 8)\| where risk_score >= 8\| table host, dest_ip, count, earliest, latest, risk_score
		Network Traffic Content	Hidden or encoded data inside normal C2 traffic (e.g., Base64, XOR, custom encoding).HTTP/S payloads with unusual long strings in GET/POST requests.DNS tunneling techniques used to bypass security controls. Analytic 1 - Detecting Encoded or Hidden Data in C2 Channels (EventCode=3 OR source="zeek_http.log" OR source="dns.log")\| where (uri_length > 200 OR request_body_length > 5000)\| eval encoded_data=if(match(uri, "([A-Za-z0-9+/=]{100,})") OR match(request_body, "([A-Za-z0-9+/=]{100,})"), 1, 0)\| where encoded_data=1\| stats count by _time, host, user, uri, request_body_length, risk_score\| eval risk_score=case( request_body_length > 10000, 9, request_body_length > 5000, 8)\| where risk_score >= 8\| table host, uri, request_body_length, risk_score
		Network Traffic Flow	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Observed Countries250

AD (399)

AE (209)

AF (125)

AG (254)

AI (154)

AL (39)

AM (225)

AO (63)

AQ (899)

AR (682)

AS (276)

AT (939)

AU (906)

AW (33)

AX (624)

AZ (505)

BA (660)

BB (624)

BD (179)

BE (280)

BF (867)

BG (108)

BH (992)

BI (676)

BJ (694)

BL (387)

BM (265)

BN (828)

BO (422)

BQ (95)

BR (732)

BS (293)

BT (76)

BV (418)

BW (565)

BY (248)

BZ (742)

CA (855)

CC (27)

CD (173)

CF (696)

CG (575)

CH (147)

CI (378)

CK (594)

CL (711)

CM (175)

CN (652)

CO (796)

CR (140)

CU (802)

CV (394)

CW (484)

CX (698)

CY (373)

CZ (164)

DE (450)

DJ (887)

DK (224)

DM (652)

DO (238)

DZ (66)

EC (342)

EE (975)

EG (443)

EH (589)

ER (299)

ES (80)

ET (274)

FI (108)

FJ (920)

FK (501)

FM (870)

FO (926)

FR (678)

GA (734)

GB (718)

GD (506)

GE (288)

GF (97)

GG (927)

GH (458)

GI (3)

GL (631)

GM (840)

GN (181)

GP (34)

GQ (765)

GR (621)

GS (664)

GT (415)

GU (651)

GW (471)

GY (560)

HK (108)

HM (262)

HN (133)

HR (450)

HT (872)

HU (512)

ID (548)

IE (167)

IL (529)

IM (624)

IN (554)

IO (431)

IQ (797)

IR (771)

IS (167)

IT (129)

JE (285)

JM (700)

JO (874)

JP (269)

KE (133)

KG (424)

KH (900)

KI (759)

KM (27)

KN (52)

KP (664)

KR (735)

KW (506)

KY (714)

KZ (401)

LA (813)

LB (106)

LC (212)

LI (508)

LK (766)

LR (640)

LS (429)

LT (992)

LU (657)

LV (496)

LY (672)

MA (728)

MC (440)

MD (15)

ME (142)

MF (461)

MG (727)

MH (684)

MK (181)

ML (817)

MM (371)

MN (275)

MO (966)

MP (242)

MQ (775)

MR (96)

MS (265)

MT (286)

MU (534)

MV (122)

MW (553)

MX (938)

MY (922)

MZ (583)

NA (323)

NC (621)

NE (485)

NF (906)

NG (276)

NI (654)

NL (839)

NO (38)

NP (912)

NR (394)

NU (377)

NZ (853)

OM (480)

PA (206)

PE (111)

PF (277)

PG (64)

PH (142)

PK (220)

PL (700)

PM (428)

PN (443)

PR (265)

PS (393)

PT (214)

PW (501)

PY (605)

QA (525)

RE (903)

RO (698)

RS (179)

RU (228)

RW (672)

SA (769)

SB (470)

SC (205)

SD (222)

SE (599)

SG (879)

SH (323)

SI (697)

SJ (985)

SK (985)

SL (596)

SM (713)

SN (992)

SO (338)

SR (174)

SS (420)

ST (323)

SV (798)

SX (806)

SY (972)

SZ (187)

TC (217)

TD (30)

TF (295)

TG (440)

TH (6)

TJ (420)

TK (264)

TL (161)

TM (591)

TN (4)

TO (888)

TR (387)

TT (540)

TV (309)

TW (500)

TZ (569)

UA (74)

UG (167)

UM (201)

US (459)

UY (640)

UZ (190)

VA (766)

VC (89)

VE (973)

VG (862)

VI (313)

VN (504)

VU (528)

WF (422)

WS (589)

XK (410)

YE (623)

YT (382)

ZA (296)

ZM (670)

ZW (277)