SOC Incident Toolkit
Back to Campaigns
Shai Hulud 2: Supply Chain Storm

Shai Hulud 2: Supply Chain Storm

ShaiHuludSecondSandwormnpmSupplyChainAttack

Operation Second Sandworm is the second significant surge of the Shai Hulud npm worm, impacting prominent ecosystems as Zapier, ENS Domains, Postman, PostHog, among others. The virus compromises maintainer accounts, embeds malicious code into npm packages, appropriates sensitive information such as GitHub tokens and cloud keys, and then establishes backdoored GitHub Actions processes and exfiltration repositories to continuously extract credentials long after the original packages have been purged. This transforms routine developer dependencies into an automated supply chain tool that disseminates via the npm registry and several GitHub projects.

Notes

<div class="content-body"> <span class="content-title">CONCLUSION</span> <p class="content-description">According to the analysis, the second Shai Hulud campaign is one of the clearest examples of how fragile the software supply chain is today. One compromised npm package or GitHub account was enough to push malicious updates into the normal development flow of platforms like Zapier, ENS, AsyncAPI, PostHog, and Postman. Everyday dependencies turned into tools for stealing secrets and entering CI/CD pipelines. This shows that it is not enough to catch a single malware sample. Organizations need end to end visibility on code, pipelines, and third party services.</p> <p class="content-description">SOCRadar approaches a campaign like Shai Hulud 2 by using several modules together. The XTI / Threat Intelligence module tracks new indicators, malicious npm packages, domains, IPs, and related infrastructure, and feeds fresh IOCs into SIEM and SOAR. Attack Surface Management shows which internet facing assets and GitHub projects use the affected packages and where the exposure is highest. Digital Risk Protection detects leaked developer credentials, tokens, or dark web chatter that links an organization to this campaign. Supply Chain Intelligence adds a view of third party vendors and open source components, so security teams can rate their risk and see which dependencies should be checked and fixed first.</p> <p class="content-description">SOCRadar’s overall view is clear: Shai Hulud 2 is not an incident that can be handled only by looking at a few alerts. It is a campaign that proves the need for a continuous supply chain radar. When SOCRadar modules work together, security teams can build a clear exposure map, react faster, and increase the chance of catching the next Shai Hulud style wave while it is still forming, not after it hits production.</p> </div>

Mitigation

<div class="content-container"> <span class="content-title">T1059.007 - JavaScript</span> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td> <a href="https://attack.mitre.org/mitigations/M1040">M1040</a> </td> <td> <a href="https://attack.mitre.org/mitigations/M1040">Behavior Prevention on Endpoint</a> </td> <td> On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent <a href="https://attack.mitre.org/techniques/T1059/007">JavaScript</a> scripts from executing potentially malicious downloaded content <a href="https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction">[102]</a>. </td> </tr> <tr> <td> <a href="https://attack.mitre.org/mitigations/M1042">M1042</a> </td> <td> <a href="https://attack.mitre.org/mitigations/M1042">Disable or Remove Feature or Program</a> </td> <td> Turn off or restrict access to unneeded scripting components. </td> </tr> <tr> <td> <a href="https://attack.mitre.org/mitigations/M1038">M1038</a> </td> <td> <a href="https://attack.mitre.org/mitigations/M1038">Execution Prevention</a> </td> <td> Denylist scripting where appropriate. </td> </tr> <tr> <td> <a href="https://attack.mitre.org/mitigations/M1021">M1021</a> </td> <td> <a href="https://attack.mitre.org/mitigations/M1021">Restrict Web-Based Content</a> </td> <td> Script blocking extensions can help prevent the execution of JavaScript and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place. </td> </tr> </tbody> </table> </div> <span class="content-title">T1071.001 - Web Protocols</span> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td> <a href="https://attack.mitre.org/mitigations/M1037">M1037</a> </td> <td> <a href="https://attack.mitre.org/mitigations/M1037">Filter Network Traffic</a> </td> <td> Restrict and monitor outbound web traffic (HTTP/HTTPS) from critical servers to only approved destinations. Limiting the ability to initiate outbound HTTP/HTTPS connections, especially from public-facing servers, can prevent attackers from using tools like curl or wget to communicate with external C2 servers or download malicious payloads. </td> </tr> <tr> <td> <a href="https://attack.mitre.org/mitigations/M1031">M1031</a> </td> <td> <a href="https://attack.mitre.org/mitigations/M1031">Network Intrusion Prevention</a> </td> <td> Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. </td> </tr> </tbody> </table> </div> <span class="content-title">T1195 - Supply Chain Compromise</span> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td> <a href="https://attack.mitre.org/mitigations/M1013">M1013</a> </td> <td> <a href="https://attack.mitre.org/mitigations/M1013">Application Developer Guidance</a> </td> <td> Application developers should be cautious when selecting third-party libraries to integrate into their application. Additionally, where possible, developers should lock software dependencies to specific versions rather than pulling the latest version on build. </td> </tr> <tr> <td> <a href="https://attack.mitre.org/mitigations/M1046">M1046</a> </td> <td> <a href="https://attack.mitre.org/mitigations/M1046">Boot Integrity</a> </td> <td> Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms. </td> </tr> </tbody> </table> </div> <span class="content-title">T1199 - Trusted Relationship</span> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td> <a href="https://attack.mitre.org/mitigations/M1032">M1032</a> </td> <td> <a href="https://attack.mitre.org/mitigations/M1032">Multi-factor Authentication</a> </td> <td> Require MFA for all delegated administrator accounts. </td> </tr> </tbody> </table> </div> </div>