Post

Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems

Posted
By ictsec.pl
1 min read

A new campaign, dubbed Shai-hulud 2.0, has been identified targeting cloud and developer ecosystems with a sophisticated malware variant. This updated version builds upon its predecessor by stealing credentials and secrets from major cloud platforms, including AWS, GCP, and Azure, as well as NPM tokens and GitHub authentication credentials. What sets it apart is its newly introduced capability to automate the backdooring of NPM packages maintained by victims, creating a highly wormable threat.

The Shai-hulud 2.0 malware achieves supply chain compromise by backdooring all NPM packages maintained by the victim and republishing them with malicious payloads. These payloads are designed to execute upon installation, potentially impacting thousands of downstream users. The entire process is automated, parallelized across up to 100 packages simultaneously, maximizing propagation speed while minimizing the chances of detection. The initial dropper script, named setup_bun.js, detects if the Bun JavaScript runtime is installed and installs it if necessary, using official Bun installation scripts to appear legitimate. It then executes the main malware payload, bun_environment.js.

The main payload, bun_environment.js, uses a function called jy1() to orchestrate the attack. This function checks for CI/CD environment variables to determine its execution context. If running within a CI/CD pipeline (e.g., GitHub Actions, Google Cloud Build, AWS CodeBuild), it executes immediately to maximize credential access. On developer machines, it employs a stealth approach by spawning a detached background process, allowing the NPM install process to complete normally without raising suspicion. This background process then steals credentials from cloud providers and development platforms.

The aL0() function is responsible for stealing credentials from AWS, GCP, and Azure cloud providers, along with NPM tokens and GitHub authentication credentials. It also targets cloud-native secret management services, such as AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault. If authentication fails, the malware can execute destructive commands to wipe user data. Furthermore, it attempts to establish persistence and disable security controls on Linux systems using functions like cQ0() for process detection, pQ0() for privilege escalation (including exploiting Docker), and gQ0() to disable systemd-resolved.

To read the complete article see: Full Article

MALWARE
CLOUD MALWARE SECURITY
This post is licensed under CC BY 4.0 by the author.