
Shai Hulud 2: Supply Chain Storm
ShaiHuludSecondSandwormnpmSupplyChainAttack
Operation Second Sandworm is the second significant surge of the Shai Hulud npm worm, impacting prominent ecosystems as Zapier, ENS Domains, Postman, PostHog, among others. The virus compromises maintainer accounts, embeds malicious code into npm packages, appropriates sensitive information such as GitHub tokens and cloud keys, and then establishes backdoored GitHub Actions processes and exfiltration repositories to continuously extract credentials long after the original packages have been purged. This transforms routine developer dependencies into an automated supply chain tool that disseminates via the npm registry and several GitHub projects.
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
T1059.007 - JavaScript
T1071.001 - Web Protocols
T1195 - Supply Chain Compromise
T1199 - Trusted Relationship
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0264 | Cross-Platform Detection of JavaScript Execution Abuse | AN0733 | Detects JavaScript execution through WSH (wscript.exe, cscript.exe) or HTA (mshta.exe), particularly when spawned from Office macros, web browsers, or abnormal user paths. Correlates script execution with outbound network activity or system modification. |
| AN0734 | Detects JavaScript for Automation (JXA) via osascript or compiled scripts using OSAKit APIs. Flags execution involving system modification, inter-process scripting, or browser abuse. | ||
| AN0735 | Detects Node.js or JavaScript interpreter execution from web shells, cron jobs, or local users. Correlates execution with reverse shell behavior, file modifications, or abnormal outbound connections. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0027 | Detection of Web Protocol-Based C2 Over HTTP, HTTPS, or WebSockets | AN0075 | Detects unexpected or high-volume HTTP/S/WebSocket communication from suspicious processes (e.g., PowerShell, rundll32) using uncommon user agents or mimicking browser traffic to unusual domains or IPs. |
| AN0076 | Detects curl, wget, Python requests, or custom HTTP clients communicating over non-standard ports, with repetitive or beacon-like patterns or POST-heavy behavior to rare domains. | ||
| AN0077 | Detects applications such as Automator, AppleScript, or LaunchDaemons invoking HTTP/S traffic to non-standard domains or using suspicious headers (e.g., Base64 in URIs or cookie fields). | ||
| AN0078 | Detects HTTP or HTTPS communication initiated by shell-based scripts or management daemons, especially those reaching public IPs over ports 80/443 using embedded curl or wget. | ||
| AN0079 | Detects Web protocol misuse such as encoded HTTP headers, WebSocket upgrade requests with abnormal payloads, or TLS handshake anomalies suggesting embedded C2 channels. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0537 | Behavioral detection for Supply Chain Compromise (package/update tamper → install → first-run) | AN1480 | 1) New or updated software is delivered/installed from atypical sources or with signature/hash mismatches; 2) installer/updater writes binaries to unexpected paths or replaces existing signed files; 3) first run causes unsigned/abnormally signed modules to load or child processes to execute, optionally followed by network egress to new destinations. |
| AN1481 | 1) Package manager or curl/wget installs/upgrades from non-approved repos or unsigned packages; 2) new ELF written into PATH directories or replacement of existing binaries/libraries; 3) first run leads to unexpected child processes or outbound connections. | ||
| AN1482 | 1) pkg/notarization installs from atypical sources or with Gatekeeper/AMFI warnings; 2) new Mach-O written into /Applications or ~/Library paths or substitution of signed components; 3) first run from installer spawns unsigned children or exfil. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0488 | Detect abuse of Trusted Relationships (third-party and delegated admin access) | AN1344 | Behavioral chain: (1) a login from a third-party account or untrusted source network establishes an interactive/remote session; (2) the session acquires elevated privileges or accesses sensitive resources atypical for that account; (3) subsequent lateral movement or data access occurs from the same session/device. Correlate Windows logon events, token elevation/privileged use, and resource access with third-party context. |
| AN1345 | Behavioral chain: (1) sshd or federated SSO logins from third-party networks or identities; (2) rapid sudo/su privilege elevation; (3) access to sensitive paths or east-west SSH. Correlate auth logs, process execution, and network flows. | ||
| AN1346 | Behavioral chain: (1) third-party interactive login or mobileconfig-based device enrollment; (2) privilege use or admin group change; (3) lateral movement mounts/ssh. Correlate unified logs and network telemetry. | ||
| AN1347 | Behavioral chain: (1) delegated admin or external identity establishes session (e.g., partner/reseller DAP, B2B guest, SAML/OAuth trust); (2) role elevation or app consent/permission grant; (3) downstream privileged actions in the tenant. Correlate IdP sign-in, admin/role assignment, and consent/admin-on-behalf events. |
Observed Countries250
AD (519)
AE (733)
AF (486)
AG (219)
AI (987)
AL (699)
AM (465)
AO (516)
AQ (779)
AR (800)
AS (375)
AT (838)
AU (318)
AW (823)
AX (583)
AZ (322)
BA (113)
BB (19)
BD (486)
BE (529)
BF (828)
BG (603)
BH (263)
BI (770)
BJ (158)
BL (580)
BM (926)
BN (336)
BO (448)
BQ (138)
BR (300)
BS (318)
BT (444)
BV (538)
BW (349)
BY (773)
BZ (874)
CA (159)
CC (991)
CD (763)
CF (271)
CG (145)
CH (36)
CI (941)
CK (637)
CL (190)
CM (256)
CN (800)
CO (681)
CR (525)
CU (566)
CV (722)
CW (507)
CX (444)
CY (620)
CZ (339)
DE (800)
DJ (705)
DK (906)
DM (954)
DO (232)
DZ (234)
EC (244)
EE (949)
EG (536)
EH (988)
ER (380)
ES (767)
ET (16)
FI (761)
FJ (252)
FK (429)
FM (885)
FO (6)
FR (264)
GA (218)
GB (13)
GD (232)
GE (545)
GF (389)
GG (278)
GH (343)
GI (346)
GL (916)
GM (22)
GN (174)
GP (974)
GQ (406)
GR (360)
GS (784)
GT (68)
GU (38)
GW (516)
GY (395)
HK (336)
HM (818)
HN (377)
HR (824)
HT (264)
HU (766)
ID (748)
IE (825)
IL (435)
IM (842)
IN (280)
IO (786)
IQ (944)
IR (980)
IS (328)
IT (748)
JE (671)
JM (135)
JO (708)
JP (558)
KE (565)
KG (167)
KH (862)
KI (634)
KM (985)
KN (177)
KP (278)
KR (775)
KW (214)
KY (191)
KZ (244)
LA (230)
LB (939)
LC (191)
LI (364)
LK (119)
LR (959)
LS (135)
LT (625)
LU (772)
LV (759)
LY (38)
MA (140)
MC (530)
MD (535)
ME (938)
MF (9)
MG (518)
MH (17)
MK (765)
ML (316)
MM (863)
MN (725)
MO (574)
MP (242)
MQ (962)
MR (560)
MS (875)
MT (1)
MU (809)
MV (398)
MW (585)
MX (917)
MY (258)
MZ (473)
NA (145)
NC (801)
NE (537)
NF (178)
NG (706)
NI (682)
NL (75)
NO (481)
NP (252)
NR (431)
NU (905)
NZ (22)
OM (941)
PA (319)
PE (783)
PF (121)
PG (59)
PH (240)
PK (573)
PL (700)
PM (888)
PN (396)
PR (686)
PS (280)
PT (605)
PW (908)
PY (46)
QA (371)
RE (404)
RO (402)
RS (698)
RU (946)
RW (364)
SA (617)
SB (835)
SC (495)
SD (667)
SE (470)
SG (127)
SH (643)
SI (453)
SJ (105)
SK (270)
SL (256)
SM (616)
SN (202)
SO (827)
SR (373)
SS (588)
ST (460)
SV (777)
SX (406)
SY (820)
SZ (106)
TC (141)
TD (307)
TF (48)
TG (505)
TH (321)
TJ (827)
TK (168)
TL (517)
TM (630)
TN (577)
TO (169)
TR (691)
TT (802)
TV (589)
TW (992)
TZ (786)
UA (741)
UG (656)
UM (438)
US (684)
UY (328)
UZ (978)
VA (738)
VC (578)
VE (341)
VG (48)
VI (189)
VN (166)
VU (66)
WF (144)
WS (641)
XK (2)
YE (694)
YT (293)
ZA (478)
ZM (275)
ZW (874)