"The Shai-Hulud 2.0 campaign, previously described on Techzine, builds on earlier supply chain compromises. However, this variant introduces more automation, faster distribution, and a broader target. Malicious code runs during the pre-install phase of infected npm packages, causing execution to take place before tests or security checks. Attackers compromised maintainer accounts of widely used projects such as Zapier, PostHog, and Postman."
"Multiple npm packages were compromised when threat actors added a preinstall script called set_bun.js to the package.json. The setup_bun.js script checked for an existing Bun runtime binary and installed it if absent. Bun can be used in the same way as Node.js. The Bun runtime then executed the bundled malicious script bun_environment.js. This script downloaded and installed a GitHub Actions Runner archive and configured a new GitHub repository with a runner agent named SHA1Hulud."
Shai-Hulud 2.0 builds on prior supply chain compromises with increased automation, faster distribution, and broader targeting. Malicious code executes during the pre-install phase of infected npm packages, running before tests or security checks. Maintainer accounts for widely used projects including Zapier, PostHog, and Postman were compromised, allowing attackers to inject a preinstall script named set_bun.js. The script installs a Bun runtime to execute bun_environment.js, which downloads a GitHub Actions Runner, configures a repository runner named SHA1Hulud, and uses TruffleHog to search for and exfiltrate credentials to attacker-controlled public repositories. Stolen credentials enable privilege escalation and lateral movement across cloud workloads, and traditional network defenses are insufficient against attacks embedded in trusted package workflows. Microsoft Defender for Containers generated alerts detecting suspicious shred usage and data destruction.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]