The software supply chain is under siege from “Shai Hulud v2,” a sophisticated malware campaign that has compromised 834 packages across the npm and Maven ecosystems.
This new wave specifically targets GitHub Actions workflows, exploiting pull_request_target triggers to inject malicious code into widely used libraries.
The attack has impacted major projects like PostHog, Zapier, and AsyncAPI, leveraging compromised automation tokens to infect downstream dependencies systematically.
The infection process relies on a stealthy two-stage loader initiated by a pre-install script named setupbun.js.
This script installs the Bun runtime to execute an obfuscated payload, bunenvironment.js, while suppressing standard output to avoid detection during build logs.
By pivoting through compromised CI pipelines, the malware gains privileged access to repository secrets, enabling it to modify source code, increment patch versions, and republish infected packages to public registries.
Socket.dev security analysts identified the malware’s unique persistence mechanism, noting its use of a beacon phrase, “Sha1-Hulud The Second Coming,” effectively searching GitHub to re-trigger infections.
This ensures that even if individual repositories are cleaned, the attackers can locate and re-compromise vulnerable endpoints.
Campaign’s impact
The campaign’s impact is extensive, exposing sensitive credentials from tens of thousands of repositories and marking a dangerous evolution in automated supply chain attacks.
Once entrenched in a CI environment, the malware executes a comprehensive credential harvesting routine. It captures all available environment variables, specifically targeting GITHUB_TOKEN, NPM_TOKEN, and AWS_ACCESS_KEY_ID, while simultaneously deploying a TruffleHog binary to scan the local filesystem for embedded secrets.
.webp "Shai Hulud v2 Exploits GitHub Actions Workflows as Attack Vector to Steal Secrets 3")
Unlike typical scrapers, this payload aggressively enumerates cloud infrastructure, cycling through every region in AWS, Google Cloud, and Azure to extract secrets from managed vaults.
All stolen data is obscured using three layers of Base64 encoding before being exfiltrated to a randomly generated GitHub repository created within the victim’s account.
Furthermore, the malware attempts privilege escalation on Linux runners by manipulating sudoers or executing Docker run –privileged commands to gain root access.
If no valid credentials are found to propagate the worm, the malware executes a destructive wiper function that deletes the files.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
