216.73.217.80

Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems

· Published 27/11/2025 14:13 · Modified 21/12/2025 18:08

Export JSON

Essential information

Published
27/11/2025 14:13
Modified
21/12/2025 18:08
Tags
2025-11-27 aws azure cloud credential-theft gcp github npm shai-hulud supply-chain
Related entities
6 observables, 1 intrusion sets (apt), 20 techniques (mitre), 1 malware, 1 others

Description

The 2.0 campaign features an advanced malware variant that steals credentials and secrets from major platforms and developer services. It automates the backdooring of packages maintained by victims, enabling rapid propagation across the software supply chain. The malware targets , , and credentials, as well as tokens and authentication. It creates malicious Actions workflows for command-and-control and secret exfiltration. The campaign also leverages secret management services and implements destructive failsafes. Its sophisticated tactics allow for stealthy compromise of developer ecosystems, potentially impacting thousands of downstream users.

External references