Mini Shai-Hulud: the committed supply campaign that steals tokens, deploys malicious loads and reinfects your pipelines from npm

Researchers from several security firms have alerted to a committed supply campaign targeting the SAP JavaScript ecosystem, distributed in legitimate npm packages but versed with a malicious installer. The attack - self-called "mini Shai-Hulud" by the actor - uses an installation hook (preinstall) to download and run a Bun binary from GitHub Releases and, from there, load a JavaScript charger that installs a credentials exfilter and a propagation frame that runs in the developer's environment or in CI / CD pipelines.

The remarkable thing about this campaign is not only the delivery technique but its objective and scope: stealing tokens and local and cloud secrets (GitHub, npm, GitHub Actions, AWS, Azure, GCP and Kubernetes), cipher the stolen data with AES-256-GCM and pack the key with RSA-4096 so that only the attacker can decipher them, and then publish the exfiltered artifacts in public repositories created in the victim's account. It also incorporates self-propagation mechanisms that use stolen tokens to inject malicious workflows into repositories and publish new versions in the npm record, closing a re-engagement cycle that can exponentially expand the damage.

There is another worrying and relatively new dimension: the use of configurations of IA programming agents and the editor himself as persistent vectors. malware introduces files like "claude / settings.json" to take advantage of Claude Code session hooks and VS Code files with "runOn": "folderOpen", so open the project in these environments reruns the malicious code. This tactic transforms tools that accelerate development into traps that re-infect work teams and new machines that clone the repository.

The practical implications are serious: a developer can compromise not only his machine but also CI / CD pipelines, repositories and cloud service accounts without knowing it. From there, attackers can deploy loads, extract sensitive data, publish contaminated packages that infect third parties and maintain persistent access to corporate environments. The incorporation of strong encryption and 4096-bit RSA keys also complicates the forensic response to exfiltered content.

To mitigate the immediate risk, it is key to act quickly and in order. First, identify and stop using compromised versions (for example, versions published by researchers) and purge local facilities and npm caches at CI workstations and runners. Examine the repositories for unexpected comms or files - for example, checking the presence of .claude / settings.json and .vscode / tasks.json - and review any new GitHub Actions workflow or recent modifications. Revocate and rotate immediately all exposed personal and service tokens, and rotate cloud access keys, it is essential: credentials must be assumed to the contrary. GitHub offers practical guidelines for tokens management and good practices that can help in containment: GitHub tokens documentation.

In the pipelines and development policy it is appropriate to strengthen medium-term controls: to enable the scanning of secrets and the detection of units on the repository platform, to require package signatures or to use private records with admission policies, and to adopt automatic rotation of credentials with minimum privilege principles. In addition, restricting automatic execution of installation scripts and auditioning hooks as pre-install in package.json helps to reduce attack surfaces that exploit default npm behaviors. To understand how npm scripts can be used as vectors, npm documentation itself is a useful resource: Npm scripts.

From an operational perspective, it is recommended to rebuild runners and build environments from clean images, remove and regenerate keys and credentials, and review GitHub and cloud services looms to detect unusual activity (creation of repositories, automatic puzzles, new workflows with high permissions). Supply chain security tools such as unit scanners, version blocking policies and repository observability solutions can detect and contain malicious publishing reattempts.

Finally, the incident underlines the need to understand and control not only bookstore units, but also the configurations of code agents and editors that are part of the workflow. Industry should consider technical measures that limit automatic code execution when opening projects and require explicit confirmations or sandboxes for integration with IA assistants. For developers who want to evaluate executable components such as Bun, it is appropriate to download binaries from official and verified sources (for example, the official site of Bun: Bun) and verify signatures or checks when available.

This type of campaign shows that the next generation of supply chain attacks no longer only targets popular packages, but also shortcuts and automations that make daily work faster. The response should combine immediate containment, rotation of credentials, cleaning of artifacts and a development policy that will empower prevention and resilience to the execution of unverified code.