Responding to Shai-Hulud Worm 2.0: Elastic’s Latest Action Against npm Supply Chain Attacks
# Everyone Loves a Sequel, Right?
## Tracking Shai-Hulud Worm 2.0 and How Elastic Responded
---
Since **Monday, November 24th**, the software development community has faced the return of the **Shai-Hulud Worm** — now upgraded to version **2.0**. The ecosystem has shifted into **incident response mode**, with **Elastic** actively engaged.
Although **Elastic products** do not ship with **Node Package Manager (npm)**, like many companies we use npm to retrieve packages from the [npmjs.com](http://npmjs.com) registry during builds.
---
## Purpose of This Blog
In this post, we'll cover:
- The steps **Elastic** took to **monitor, detect, and mitigate** Shai-Hulud 2.0 threats in the npm ecosystem
- **Prevention and detection rules** to guard against infected packages
- **Hunt queries** that security teams can use immediately
- **Best practices and recommendations** to strengthen defenses
---
## Why Shai-Hulud 2.0 Is Dangerous
- **Scale of npm**: A vast ecosystem, making it a prime target.
- **New variant**: Dubbed *Shai-Hulud: The Second Coming* in **November 2025**, shortly after the **September 2025** attack.
- **Capabilities**:
- **Data exfiltration** from hundreds of packages
- Targeting popular projects like:
- AsyncAPI
- Zapier
- PostHog
- Postman
---
## Technical Differences From the First Variant
Shai-Hulud 2.0:
1. Installs **bun** via `setup_bun.js`
2. Executes `bun_environment.js` (malicious code)
3. Performs **cross-victim exfiltration** by publishing one victim's data to repositories linked to other victims
4. Uses GitHub repository descriptions reading: **Sha1-Hulud: The Second Coming**
5. Infects up to **100 npm packages** (vs 20 in v1)
6. Wipes the user’s home directory if authentication fails with GitHub/npm credentials
---
## Elastic's Core Defensive Actions
### Monitoring Strategy
1. **Dependency scanning** via Software Composition Analysis (SCA)
2. **Threat intelligence** feeds to compare dependencies against known malicious packages
3. **Automated detection rules** for malicious injection patterns
4. **Community intelligence sharing**
### Security Enhancements
- **Trusted Publisher** for npm publishing ([docs.npmjs.com/trusted-publishers](https://docs.npmjs.com/trusted-publishers)) and revoked all long-lived tokens
- **14-day package age policy** before integrating new versions
- **Endpoint scanning** using OSQuery via Elastic Agent
- **OOTB detection rules** from Elastic Security Labs
- **Developer advisories** banning installation/updates of npm packages during investigations
---
## Incident Summary: What Happened in Elastic CI Pipeline
- Partner **Entro** found Shai-Hulud 2.0 malware executed in an Elastic GitOps CI pipeline for **Elastic Cloud**
- **No impact** to Elastic Cloud systems or customers
- Root cause: **Transitive dependency**
- Swift containment and remediation actions prevented exploitation
---
### Remediation Steps
- Removed compromised dependencies from all repositories
- Audited CI pipelines/manual processes
- Identified affected CI runs/users
- Reviewed secrets exposure
- Rotated all non-ephemeral secrets immediately
---
### Contents in Exposed GitHub Repo
- **cloud.json** – empty
- **contents.json** – CI runner info, unrelated GitHub user/token
- **truffleSecrets.json** – false-positive results
- **environment.json** – CI runner environment variables & build secrets (revoked immediately)
---
### Findings
- No evidence of unauthorized access/use of Elastic secrets
- No propagation into Elastic npm packages
---
## Indicators of Compromise: Hunt Queries
// IOC for GitHub Self-Hosted Actions runner name
process.name:Runner.Listener and process.command_line:SHA1HULUD
// IOC - node/bun executing bun_environment.js
process.name:(node or bun) and process.args:*bun_environment.js
// Credentials discovery using trufflehog via node/bun
process.name:("trufflehog" or "trufflehog.exe") and process.args:"filesystem" and process.args:"--json"
and (process.parent.name:(node or bun or node.exe or bun.exe) or process.working_directory:node_modules)
// curl downloading GH Actions runner
process.name:(curl or curl.exe or powershell.exe or wget or wget.exe)
and process.command_line:github.com/actions/runner/releases/download
// Docker escape via host file system mount + bash tampering
process.name:docker and process.args:("--privileged" and run) and process.args:"-v" and process.args:/\:/*
and process.args:(bash or sh or cp)
---
**Example Matches:** Early identification of these IOCs can limit exposure and contain risks.
---
## Relevant OOTB Detection & Prevention Rules for Shai-Hulud Worm 2.0
- [Unusual Network Connection to Suspicious Web Service](https://github.com/elastic/detection-rules/blob/8f79d58f3f308fa4e387e67880172ff6706f2a52/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml) *(Detection Engine)*
- [Connection to Commonly Abused Web Services](https://github.com/elastic/detection-rules/blob/8f79d58f3f308fa4e387e67880172ff6706f2a52/rules/windows/command_and_control_common_webservices.toml) *(Detection Engine)*
- [Potential Discovery of DPAPI Master Keys](https://github.com/elastic/protections-artifacts/blob/ee0669e56858c4734a2f074771aa5ba44eb43086/behavior/rules/windows/credential_access_potential_discovery_of_dpapi_master_keys.toml) *(Elastic Defend)*
- [Potential Discovery of Windows Credential Manager Store](https://github.com/elastic/protections-artifacts/blob/ee0669e56858c4734a2f074771aa5ba44eb43086/behavior/rules/windows/credential_access_potential_discovery_of_windows_credential_manager_store.toml) *(Elastic Defend)*
- [Web Browser Credential Access via Unsigned Process](https://github.com/elastic/protections-artifacts/blob/ee0669e56858c4734a2f074771aa5ba44eb43086/behavior/rules/windows/credential_access_web_browser_credential_access_via_unsigned_process.toml) *(Elastic Defend)*
- [Potential Browser Information Discovery](https://github.com/elastic/protections-artifacts/blob/ee0669e56858c4734a2f074771aa5ba44eb43086/behavior/rules/windows/discovery_potential_browser_information_discovery.toml) *(Elastic Defend)*
- [Web Browser Credential Data Accessed by Untrusted Process](https://github.com/elastic/protections-artifacts/blob/ee0669e56858c4734a2f074771aa5ba44eb43086/behavior/rules/macos/credential_access_web_browser_credential_data_accessed_by_unsigned_or_untrusted_process.toml) *(Elastic Defend)*
- [Curl/Wget Spawned via Node.js](https://github.com/elastic/detection-rules/blob/20d86c8b474a3be0c04562e111191cf4c0b92d48/rules/linux/command_and_control_curl_wget_spawn_via_nodejs_parent.toml#L18) *(Detection Engine)*
- [Credential Access via TruffleHog Execution](https://github.com/elastic/detection-rules/blob/20d86c8b474a3be0c04562e111191cf4c0b92d48/rules/cross-platform/credential_access_trufflehog_execution.toml#L25) *(Detection Engine)*
---
## Key Takeaways
- **Continuous monitoring** and **rapid response** are non-negotiable for modern CI/CD security.
- **Supply chain attacks** like Shai-Hulud highlight the critical need for dependency trust verification.
- **Transparency** in handling incidents strengthens community trust.
---
## Final Note on Cross-Platform Security Communication
Platforms like **[AiToEarn官网](https://aitoearn.ai/)** offer integrated, open-source tools for:
- AI-powered content generation
- Cross-platform publishing (Douyin, Kwai, WeChat, Bilibili, Rednote, Facebook, Instagram, LinkedIn, Threads, YouTube, Pinterest, X/Twitter)
- Analytics and [AI model ranking](https://rank.aitoearn.ai)
Such tooling can support both **developer security alerts** and **public educational outreach** — ensuring faster, coordinated communication across global teams.
---
*Feature releases and timelines remain at Elastic’s sole discretion and may change or be cancelled at any time.*
We will update this post with new findings.
For more on Elastic security solutions, visit our security solutions page.
