Back to Intelligence

Mini Shai-Hulud Campaign: Detecting Typosquatted npm Supply Chain Attacks

SA
Security Arsenal Team
May 29, 2026
5 min read

The "Mini Shai-Hulud" campaign represents a significant escalation in supply chain tactics, specifically targeting the software development lifecycle. Attackers are publishing typosquatted packages to the npm registry—malicious imitations of popular libraries designed to trick developers into installing them.

Upon installation, these packages execute malicious code (often buried in postinstall scripts) that aggressively scrapes the environment for cloud provider credentials (AWS, Azure, GCP) and CI/CD secrets (GitHub Actions, Jenkins, GitLab). The objective is persistent access to infrastructure rather than a simple device compromise. Defenders must treat their development environments and build pipelines as high-value targets immediately.

Technical Analysis

Affected Platform: Node.js ecosystems (npm registry).

Attack Vector: Typosquatting and Dependency Confusion. Attackers create packages with names closely resembling legitimate, high-volume libraries (e.g., misspelled variations).

Attack Chain:

  1. Initial Access: A developer or CI/CD pipeline runs npm install with a typo or includes a malicious package as a transitive dependency.
  2. Execution: The package. of the malicious package includes a postinstall script. Npm automatically executes this script after the package is downloaded.
  3. Collection: The script enumerates environment variables (e.g., process.env) and searches local files for patterns matching API keys, tokens, and secrets.
  4. Exfiltration: The stolen data is sent to an attacker-controlled Command and Control (C2) server via HTTP/HTTPS requests or DNS tunneling.

Exploitation Status: Confirmed active exploitation in the wild, as reported by Microsoft Security Blog.

Detection & Response

The following detection logic focuses on identifying the anomalous behavior of Node.js processes spawning system utilities for exfiltration and detecting outbound network connections from npm contexts.

SIGMA Rules

YAML
---
title: Potential npm Malware Exfiltration via Node
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects Node.js processes spawning command-line utilities commonly used for data exfiltration (curl, wget) or reverse shells, which is atypical for standard package installation but common in malicious npm packages like Mini Shai-Hulud.
references:
  - https://www.microsoft.com/en-us/security/blog/2026/05/28/typosquatted-npm-packages-used-steal-cloud-ci-cd-secrets/
author: Security Arsenal
date: 2026/05/28
tags:
  - attack.execution
  - attack.t1059.003
  - attack.t1059.004
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\node.exe'
      - '\npm.cmd'
  selection_child:
    Image|endswith:
      - '\curl.exe'
      - '\wget.exe'
      - '\powershell.exe'
      - '\cmd.exe'
  filter_legit:
    # Filter common legitimate build tasks if necessary, though risk is high
    CommandLine|contains:
      - 'vcpkg'
      - 'cmake'
  condition: selection_parent and selection_child and not filter_legit
falsepositives:
  - Legitimate build scripts that download resources (rare during simple install)
level: high
---
title: npm Postinstall Script Outbound Network Connection
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
status: experimental
description: Detects outbound network connections initiated by the npm CLI immediately following installation, potentially indicating data exfiltration from a malicious postinstall script.
references:
  - https://www.microsoft.com/en-us/security/blog/2026/05/28/typosquatted-npm-packages-used-steal-cloud-ci-cd-secrets/
author: Security Arsenal
date: 2026/05/28
tags:
  - attack.exfiltration
  - attack.t1041
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    InitiatingProcessImage|endswith:
      - '\node.exe'
      - '\npm.cmd'
    InitiatingProcessCommandLine|contains:
      - 'install'
    DestinationPort:
      - 80
      - 443
      - 53
  condition: selection
falsepositives:
  - Legitimate npm registry connections (registry.npmjs.org)
level: medium


**KQL (Microsoft Sentinel / Defender)**
KQL — Microsoft Sentinel / Defender
// Hunt for Node.js processes making network connections to non-npm registry endpoints
// immediately after installation activities
let NpmInstallProcesses = 
  DeviceProcessEvents 
  | where Timestamp > ago(7d)
  | where ProcessCommandLine contains "install" 
  | where FileName in ("npm.cmd", "node.exe", "npm")
  | project ProcessId, DeviceName, InitiatingProcessAccountName;
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("node.exe", "npm.cmd", "node")
| where RemoteUrl !contains "registry.npmjs.org" 
  and RemoteUrl !contains "npmjs.org" 
  and RemoteUrl !contains "github.com" 
  and RemoteUrl !contains "visualstudio.com"
| join kind=inner NpmInstallProcesses on ProcessId
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessCommandLine


**Velociraptor VQL**
VQL — Velociraptor
-- Hunt for recent npm install events and subsequent network connections
LET suspicious_processes = SELECT Pid, Name, CommandLine, Exe
FROM pslist()
WHERE Name =~ 'node'
  AND CommandLine =~ 'install'

SELECT Pid, Name, CommandLine, Exe, StartTime
FROM pslist()
WHERE Name =~ 'node' OR Name =~ 'curl' OR Name =~ 'wget'
  AND StartTime > (SELECT now() - SELECT MIN(StartTime) FROM suspicious_processes)


**Remediation Script (Bash)**
Bash / Shell
#!/bin/bash
# Audit script to identify recently modified package. files
# and verify package integrity against known locks

echo "[*] Scanning for recently modified node_modules directories..."

# Find node_modules modified in the last 24 hours
find /home /root /var/www -type d -name "node_modules" -mtime -1 2>/dev/null | while read dir; do
  echo "[!] Found recently modified node_modules: $dir"
  
  # Check parent package. for postinstall scripts
  pkg_="$(dirname "$dir")/package."
  if [ -f "$pkg_" ]; then
    if grep -q '"postinstall"' "$pkg_"; then
      echo "[!] WARNING: postinstall script found in $pkg_"
      # Output the specific script block for analysis
      grep -A 2 '"postinstall"' "$pkg_"
    fi
  fi
done

echo "[*] Verifying integrity of installed packages..."
# Run npm audit recursively if npm is available
if command -v npm &> /dev/null; then
  # This should be run in project directories, this is a global example
  echo "[*] npm audit command found. Run 'npm audit' in specific project directories."
fi

Remediation

  1. Audit and Rotate Credentials: Assume that any cloud or CI/CD credentials present in the environment during the period of compromise (May 2026 onwards) are leaked. Rotate AWS Access Keys, Azure Service Principals, and CI/CD repository secrets immediately.
  2. Package Verification: Run npm audit within all application directories to identify dependencies with known vulnerabilities or malicious content.
  3. Supply Chain Hygiene:
    • Enable npm provenance or signature verification for packages.
    • Review package-lock. or yarn.lock files to ensure no unexpected dependencies have been introduced.
    • Educate developers on typosquatting risks.
  4. Network Segmentation: Restrict outbound internet access from build agents. CI/CD runners should only be allowed to communicate with trusted artifact registries (e.g., registry.npmjs.org, internal Artifactory) and necessary API endpoints.
  5. Official Guidance: Review the Microsoft Security Blog advisory for specific Indicators of Compromise (IOCs) related to the "Mini Shai-Hulud" campaign C2 infrastructure.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitvulnerability-researchnpmsupply-chaintyposquatting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action