EXECUTIVE SUMMARY #
- On 24 November 2025, public sources reported a supply chain attack on the Node Package Manager (NPM) ecosystem. Thus far, it has been observed affecting 690 packages and more than 20,000 GitHub repositories are infected.
- This campaign relies on a malicious worm referred to as Shai-Hulud. Properties of this malware include:
- Stealing credentials from AWS, GCP, and Azure cloud providers
- Create malicious CI/CD workflows to maintain persistence and enable command-and-control (C2)
- Inject GitLab CI configurations intended to exfiltrate repository secrets.
- CGI GSOC is currently investigating this activity and has opened incidents in relation to this. While details continue to emerge and the extent of the breach is confirmed, CGI security stakeholders such as sysadmins, developers, and SBPs should make themselves aware of this ongoing threat and follow the recommended guidance available in this report.
SUMMARY OF IMPACT #
CGI GSOC assesses with high confidence that the leakage of information could represent a high risk for CGI. The assessment is informed by the fact that compromised packages provide access to a large number of victims, the malware steals developers credentials, and implements a multi-stage exfiltration system for stolen data.
DETAILS #
CGI GSOC is currently monitoring a widespread open-source supply chain threat involving compromised npm packages, associated with the Shai-Hulud malware campaign. This malware has affected multiple package versions across the npm ecosystem and may impact developer workstations and Gitlab accounts.
At the moment of writing this report, CGI GSOC is actively:
- Conducting proactive threat hunts across our environment.
- Developing custom detection rules for vulnerable and malicious npm packages.
- Monitoring for indicators of compromise linked to Shai-Hulud.
- Investigating any identification of compromised npm packages on CGI assets. If GSOC identifies any relevant indicators, we will contact the specific SBU with a request for further information and actions.
ACTIONS REQUIRED #
System owners must perform a local scan using the detection script:
๐๐ผ https://github.com/Cobenian/shai-hulud-detect.
This script checks for malicious packages and known indicators on disk. If any positive results are returned, please notify GSOC.
If evidence of compromise is detected: If GSOC detects indicators related to a user or device in your area, we will request that you complete a small set of checks and return the findings. These checks follow industry guidance provided by JFrog as well as guidance provide by national agencies: https://research.jfrog.com/post/shai-hulud-the-second-coming-remediation-guidance/
The checks are as follows:
Gitlab account activity
The worm steals developer credentials, republishes trojanized packages, and spreads across Gitlab pipelines. Gitlab is a key vector used by the worm to exfiltrate data and maintain persistence. Any Gitlab credentials stored on assets with compromised NPM packages should have their Gitlab reviewed.
- Check Gitlab for any unexpected repositories.
- The worm sometimes creates public repositories where it uploads exfiltrated secrets. File uploaded are
usually named:
contents.json,environment.json,cloud.json,actionsSecrets.json,truffleSecrets.json.
- The worm sometimes creates public repositories where it uploads exfiltrated secrets. File uploaded are
usually named:
- Check Gitlab pipelines for unfamiliar Workflows.
- Each repository should have a pipline file
.gitlab-ci.yml. Check if there are any files you donโt recognize, especially ones created in the last 1โ14 days or files with random names.
- Each repository should have a pipline file
- Check for Gitlab for unfamiliar self-hosted runners
- The worm has been observed creating self-hosted runners named SHA1HULUD but also check for any unrecognized runner added recently. Runners can be found in Gitlab settings.
- Check if new versions of repositories have been published that contain a
postinstallscript calledsetup_bun.js
- Check Gitlab for any unexpected repositories.
NPM activity
If an NPM auth token (NPM_TOKEN) is found by the malware (either from env or extracted from
.npmrcby the malware), the malware validates it and obtains the username (maintainer) associated. It then queries the NPM registry for all packages by that maintainer and iterates through them, repacking each with the malicious preinstall script and payload.- Check the npm account for new versions of published packages that contain a
postinstallscript that runsnode setup_bun.js.
- Check the npm account for new versions of published packages that contain a
If any of the above checks return a positive finding, please notify GSOC and wait for further instructions.
REFERENCES #
- https://www.trendmicro.com/en_us/research/25/k/shai-hulud-2-0-targets-cloud-and-developer-systems.html
- https://www.darkreading.com/cyberattacks-data-breaches/shai-hulud-variant-cloud-ecosystem?utm_source=chatgpt.com
- https://www.thedigitalforensics.com/infosec/unpacking-the-shai-hulud-20-worm-deep-dive-into-the-malicious-npm-payload