{
	"id": "89271251-9a78-4919-a1fd-27b870df1b0f",
	"created_at": "2026-04-29T02:22:03.508334Z",
	"updated_at": "2026-04-29T08:21:16.870677Z",
	"deleted_at": null,
	"sha1_hash": "7372f5a23c62fa9d747eb2e586de6e67572bb064",
	"title": "Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1610613,
	"plain_text": "Shai-Hulud 2.0: Guidance for detecting, investigating, and\r\ndefending against the supply chain attack\r\nBy Microsoft Defender Security Research Team\r\nPublished: 2025-12-09 · Archived: 2026-04-29 02:07:26 UTC\r\nThe Shai‑Hulud 2.0 supply chain attack represents one of the most significant cloud-native ecosystem\r\ncompromises observed recently. Attackers maliciously modified hundreds of publicly available packages,\r\ntargeting developer environments, continuous integration and continuous delivery (CI/CD) pipelines, and cloud-connected workloads to harvest credentials and configuration secrets.\r\nThe Shai‑Hulud 2.0 campaign builds on earlier supply chain compromises but introduces more automation, faster\r\npropagation, and a broader target set:\r\nMalicious code executes during the preinstall phase of infected npm packages, allowing execution before\r\ntests or security checks.\r\nAttackers have compromised maintainer accounts from widely used projects (for example, Zapier,\r\nPostHog, Postman).\r\nStolen credentials are exfiltrated to public attacker-controlled repositories, which could lead to further\r\ncompromise.\r\nThis campaign illustrates the risks inherent to modern supply chains:\r\nTraditional network defenses are insufficient against attacks embedded in trusted package workflows.\r\nCompromised credentials enable attackers to escalate privileges and move laterally across cloud\r\nworkloads.\r\nIn defending against threats like Shai-Hulud 2.0, organizations benefit significantly from the layered protection\r\nfrom Microsoft Defender, which provides security coverage from code, to posture management, to runtime. This\r\ndefense-in-depth approach is especially valuable when facing supply chain-driven attacks that might introduce\r\nmalicious dependencies that evade traditional vulnerability assessment tools. In these scenarios, the ability to\r\ncorrelate telemetry across data planes, such as endpoint or container behavior and runtime anomalies, becomes\r\nessential. Leveraging these insights enables security teams to rapidly identify compromised devices, flag\r\nsuspicious packages, and contain the threat before it propagates further.\r\nThis blog provides a high-level overview of Shai‑Hulud 2.0, the attack mechanisms, potential attack propagation\r\npaths, customized hunting queries, and the actions Microsoft Defender is taking to enhance detection, attack-path\r\nanalysis, credential scanning, and supply chain hardening.\r\nAnalyzing the Shai-Hulud 2.0 attack\r\nhttps://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/\r\nPage 1 of 11\n\nMultiple npm packages were compromised when threat actors added a preinstall script named set_bun.js in the\r\npackage.json of the affected packages. The setup_bun.js script scoped the environment for an existing Bun\r\nruntime binary; if not found, the script installed it. Bun can be used in the same way Node.js is used.\r\nThe Bun runtime executed the bundled malicious script bun_environment.js. This script downloaded and installed\r\na GitHub Actions Runner archive. It then configured a new GitHub repository and a runner agent called\r\nSHA1Hulud. Additional files were extracted from the archive including, TruffleHog and Runner.Listener\r\nexecutables. TruffleHog was used to query the system for stored credentials and retrieve stored cloud credentials.\r\nFigure 1. Shai-Hulud 2.0 attack chain\r\nMicrosoft Defender for Containers promptly notified our customers when the campaign began through the alert\r\nSuspicious usage of the shred command on hidden files detected. This alert identified the data destruction activity\r\ncarried out as part of the campaign. Additionally, we introduced a dedicated alert to identify this campaign as\r\nSha1-Hulud Campaign Detected – Possible command injection to exfiltrate credentials.\r\nIn some cases, commits to the newly created repositories were under the name “Linus Torvalds”, the creator of the\r\nLinux kernel and the original author of Git.  The use of fake personas highlights the importance of commit\r\nsignature verification, which adds a simple and reliable check to confirm who actually created a commit and\r\nreduces the chance of impersonation.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/\r\nPage 2 of 11\n\nFigure 2. Malicious commit authored by user impersonating Linus Torvalds\r\nMitigation and protection guidance\r\nMicrosoft Defender recommends the following guidance for customers to improve their environments’ security\r\nposture against Shai-Hulud:\r\nReview the Key Vault assets on the critical asset management page and investigate any relevant logs for\r\nunauthorized access.\r\nRapidly rotate and revoke exposed credentials.\r\nIsolate affected CI/CD agents or workspaces.\r\nPrioritize high-risk attack paths to reduce further exposure.\r\nRemove unnecessary roles and permissions granted to identities assigned to CI/CD pipelines; specifically\r\nreview access to key vaults.\r\nFor Defender for Cloud customers, read on the following recommendation:\r\nAs previously indicated, the attack was initiated during the preinstall phase of compromised npm\r\npackages. Consequently, cloud compute workloads that rely on these affected packages present a\r\nlower risk compared to those involved in the build phase. Nevertheless, it is advisable to refrain\r\nfrom using such packages within cloud workloads. Defender for Cloud conducts thorough scans of\r\nworkloads and prompts users to upgrade or replace any compromised packages if vulnerable\r\nversions are detected. Additionally, it references the code repository from which the image was\r\ngenerated to facilitate effective investigation.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/\r\nPage 3 of 11\n\nTo receive code repository mapping, make sure to connect your DevOps environments to Defender\r\nfor Cloud. Refer to the following documentation for guidance on:\r\nConnecting Azure DevOps to Defender for Cloud\r\nConnecting GitHub environment to Defender for Cloud\r\nConnecting GitLab environment to Defender for Cloud\r\nDeploying Defender CLI for container image scan\r\nFigure 3. Defender for Cloud Recommendations page\r\nFor npm maintainers:\r\nUse npm trusted publishing instead of tokens. Strengthen publishing settings on accounts,\r\norganizations, and packages to require two-factor authentication (2FA) for any writes and\r\npublishing actions.\r\nWhen configuring two-factor authentication, use WebAuthn instead of a time-based, one-time\r\npassword (TOTP).\r\nTo combat this evolving threat, we are also introducing a new functionality in Microsoft Defender for\r\nCloud that identifies Shai-Hulud 2.0 packages by leveraging agentless code scanning. This capability\r\nworks by creating a Software Bill of Materials (SBOM) in the background and performing a lookup to\r\nidentify if any package in the filesystem or source code repository is a malicious package that could be a\r\ncomponent of the Shai-Hulud attack. By decoupling security analysis from runtime execution, this\r\napproach ensures that deep dependency threats are detected without impacting the performance of\r\nworkloads or pipelines.\r\nIf malicious packages are found, recommendations in Microsoft Defender for Cloud provide\r\nimmediate visibility into compromised assets as shown below. This ensures that security teams can\r\nact quickly to freeze dependencies and rotate credentials before further propagation occurs.\r\nThe next recommended step for customers is to start scanning repositories and protecting supply\r\nchains. Learn how to set up connectors.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/\r\nPage 4 of 11\n\nFigure 4. Recommendations resulting from agentless code scanning\r\nTurn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus.\r\nThese capabilities use artificial intelligence and machine learning to quickly identify and stop new and\r\nunknown threats.\r\nTurn on attack surface reduction rules, particularly on blocking executable files from running unless they\r\nmeet a prevalence, age or trusted list criterion and blocking execution of potentially obfuscated scripts.\r\nFor more information on GitHub’s plans on securing the npm supply chain and what npm maintainers can take\r\ntoday, Defender also recommends checking the Github plan for a more secure npm supply chain.\r\nMicrosoft Defender XDR detections \r\nMicrosoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR\r\ncoordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to\r\nprovide integrated protection against attacks like the threat discussed in this blog.\r\nCustomers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate\r\nand respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.\r\nTactic  Observed activity  Microsoft Defender coverage \r\n Execution Suspicious behavior surrounding\r\nnode execution\r\nMicrosoft Defender for Endpoint\r\n– Suspicious Node.js process behavior\r\nhttps://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/\r\nPage 5 of 11\n\nMicrosoft Defender Antivirus\r\n– Trojan:JS/ShaiWorm\r\nExecution\r\nRegistration of impacted containers as\r\nself-hosted GitHub runners and using\r\nthem to gather credentials.\r\nMicrosoft Defender for Containers\r\n– Sha1-Hulud Campaign Detected:\r\nPossible command injection to\r\nexfiltrate credentials\r\nMicrosoft Defender for Endpoint\r\n– Suspicious process launched\r\nImpact Data destruction activity\r\nMicrosoft Defender for Containers\r\n– Suspicious usage of shared command\r\non hidden files detected\r\nMicrosoft Security Copilot\r\nSecurity Copilot customers can use the standalone experience to create their own prompts or run the following\r\nprebuilt promptbooks to automate incident response or investigation tasks related to this threat:\r\nIncident investigation\r\nMicrosoft User analysis\r\nThreat actor profile\r\nThreat Intelligence 360 report based on MDTI article\r\nVulnerability impact assessment\r\nNote that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or\r\nMicrosoft Sentinel.\r\nThreat intelligence reports\r\nMicrosoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires\r\nlicense for at least one Defender XDR product) to get the most up-to-date information about the threat actor,\r\nmalicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection\r\ninformation, and recommended actions to prevent, mitigate, or respond to associated threats found in customer\r\nenvironments.\r\nMicrosoft Defender XDR threat analytics:\r\nActivity Profile: From vulnerable workflows to self-replicating malware: Technical analysis of npm supply\r\nchain security incidents\r\nMicrosoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft\r\nDefender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the\r\nMicrosoft Defender portal to get more information about this threat actor.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/\r\nPage 6 of 11\n\nAttack path analysis\r\nAttack path analysis shows paths from exposed entry points to targets. Security teams can use attack path analysis\r\nto surface cross-domain exposure risks, for example how an attacker could move from externally reachable\r\nresources to sensitive systems to escalate privileges and maintain persistence. While supply chain attacks like\r\nthose used by Shai-Hulud 2.0 can originate without direct exposure, customers can leverage advanced hunting to\r\nquery the Exposure Graph for these broader relationships.\r\nFor example, once a virtual or physical machine is determined to be compromised, key vaults that are directly\r\naccessible using credentials obtained from the compromised system can also be identified. The relevant access\r\npaths can be extracted using queries, as detailed in the hunting section below. Any key vault found along these\r\npaths should be investigated according to the mitigation guide.\r\nHunting queries \r\nMicrosoft Defender XDR\r\nMicrosoft Defender XDR customers can run the following queries to find related activity in their networks:\r\nAttempts of malicious JS execution through node\r\nDeviceProcessEvents\r\n| where FileName has \"node\" and ProcessCommandLine has_any (\"setup_bun.js\", \"bun_environment.js\")\r\nSuspicious process launched by malicious JavaScript\r\nDeviceProcessEvents | where InitiatingProcessFileName in~ (\"node\", \"node.exe\") and\r\nInitiatingProcessCommandLine endswith \".js\"\r\n| where (FileName in~ (\"bun\", \"bun.exe\") and ProcessCommandLine has \".js\")\r\nor (FileName in~ (\"cmd.exe\") and ProcessCommandLine has_any (\"where bun\", \"irm \", \"\r\n[Environment]::GetEnvironmentVariable('PATH'\", \"|iex\"))\r\nor (ProcessCommandLine in~ (\"sh\", \"dash\", \"bash\") and ProcessCommandLine has_any (\"which bun\",\r\n\".bashrc \u0026\u0026 echo $PATH\", \"https://bun.sh/install\"))\r\n| where ProcessCommandLine !contains \"bun\" and ProcessCommandLine !contains \"\\\\\" and\r\nProcessCommandLine !contains \"--\"\r\nGitHub exfiltration\r\nDeviceProcessEvents | where FileName has_any (\"bash\",\"Runner.Listener\",\"cmd.exe\") | where\r\nProcessCommandLine has 'SHA1HULUD' and not (ProcessCommandLine\r\nhas_any('malicious','grep','egrep',\"checknpm\",\"sha1hulud-checker-ado\",\"sha1hulud-checker-ado\",\"\r\nsha1hulud-checker-github\",\"sha1hulud-checker\",\"sha1hulud-scanner\",\"go-https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/\r\nPage 7 of 11\n\ndetector\",\"SHA1HULUD_IMMEDIATE_ACTIONS.md\",\"SHA1HULUD_COMPREHENSIVE_REPORT.md\",\"reddit.com\",\"sha1hulud-scan.sh\"))\r\nPaths from compromised machines and repositories to cloud key management services\r\nlet T_src2Key = ExposureGraphEdges\r\n| where EdgeLabel == 'contains'\r\n| where SourceNodeCategories has_any ('code_repository', 'virtual_machine' , 'physical_device')\r\n| where TargetNodeCategories has 'secret'\r\n| project SourceNodeId, SourceNodeLabel, SourceNodeName, keyNodeId=TargetNodeId,\r\nkeyNodeLabel=TargetNodeLabel;\r\nlet T_key2identity = ExposureGraphEdges\r\n| where EdgeLabel == 'can authenticate as'\r\n| where SourceNodeCategories has 'key'\r\n| where TargetNodeCategories has 'identity'\r\n| project keyNodeId=SourceNodeId, identityNodeId=TargetNodeId;\r\nExposureGraphEdges\r\n| where EdgeLabel == 'has permissions to'\r\n| where SourceNodeCategories has 'identity'\r\n| where TargetNodeCategories has \"keys_management_service\"\r\n| join hint.strategy=shuffle kind=inner (T_key2identity) on\r\n$left.SourceNodeId==$right.identityNodeId\r\n| join hint.strategy=shuffle kind=inner (T_src2Key) on keyNodeId\r\n| join hint.strategy=shuffle kind=inner (ExposureGraphNodes | project NodeId, srcEntityId=EntityIds)\r\non $left.SourceNodeId1==$right.NodeId\r\n| join hint.strategy=shuffle kind=inner (ExposureGraphNodes | project NodeId,\r\nidentityEntityId=EntityIds) on $left.identityNodeId==$right.NodeId\r\n| join hint.strategy=shuffle kind=inner (ExposureGraphNodes | project NodeId, kmsEntityId=EntityIds)\r\non $left.TargetNodeId==$right.NodeId\r\n| project srcLabel=SourceNodeLabel1, srcName=SourceNodeName1, srcEntityId, keyNodeLabel,\r\nidentityLabel=SourceNodeLabel,\r\nhttps://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/\r\nPage 8 of 11\n\nidentityName=SourceNodeName, identityEntityId, kmsLabel=TargetNodeLabel,\r\nkmsName=TargetNodeName, kmsEntityId\r\n| extend Path = strcat('srcLabel',' contains','keyNodeLabel',' can authenticate as', '\r\nidentityLabel', ' has permissions to', ' kmsLabel')\r\nSetup of the GitHub runner with the malicious repository and downloads of the malicious bun.sh script that\r\nfacilitates this\r\nCloudProcessEvents\r\n| where (ProcessCommandLine has \"--name SHA1HULUD\" ) or (ParentProcessName == \"node\" and\r\n(ProcessName == \"bash\" or ProcessName == \"dash\" or ProcessName == \"sh\") and ProcessCommandLine has\r\n\"curl -fsSL https://bun.sh/install | bash\")\r\n| project Timestamp, AzureResourceId, KubernetesPodName, KubernetesNamespace, ContainerName,\r\nContainerId, ContainerImageName, ProcessName, ProcessCommandLine, ProcessCurrentWorkingDirectory,\r\nParentProcessName, ProcessId, ParentProcessId, AccountName\r\nCredential collection using TruffleHog and Azure CLI\r\nCloudProcessEvents\r\n| where (ParentProcessName == \"bun\" and ProcessName in (\"bash\",\"dash\",\"sh\") and ProcessCommandLine\r\nhas_any(\"az account get-access-token\",\"azd auth token\")) or\r\n(ParentProcessName == \"bun\" and ProcessName == \"tar\" and ProcessCommandLine has_any\r\n(\"trufflehog\",\"truffler-cache\"))\r\n| project Timestamp, AzureResourceId, KubernetesPodName, KubernetesNamespace, ContainerName,\r\nContainerId, ContainerImageName, ProcessName, ProcessCommandLine, ProcessCurrentWorkingDirectory,\r\nParentProcessName, ProcessId, ParentProcessId, AccountName\r\nCloud security explorer\r\nMicrosoft Defender for Cloud customers can also use cloud security explorer to surface possibly compromised\r\nsoftware packages. The following screenshot represents a query that searches for a virtual machine or repository\r\nallowing lateral movement to a key vault. View the query builder.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/\r\nPage 9 of 11\n\nFigure 5. Cloud security explorer query\r\nThe security explorer templates library has been expanded with two additional queries that retrieve all container\r\nimages with compromised software packages and all the running containers with these images.\r\nAnother means for security teams to proactively identify the scope of this threat is by leveraging the Cloud\r\nSecurity Explorer to query the granular Software Bill of Materials (SBOM) generated by agentless scanners. This\r\ncapability allows you to execute dynamic, graph-based queries across your entire multi-cloud estate—including\r\nvirtual machines, containers, and code repositories—to pinpoint specific software components and their versions\r\nwithout the need for agent deployment.\r\nFor the Shai-Hulud 2.0 campaign, you can use the Cloud Security Explorer to map your software inventory\r\ndirectly to the list of known malicious packages. By running targeted queries that search for the specific\r\ncompromised package names identified in our threat intelligence, you can instantly visualize the blast radius of the\r\nattack within your environment. This enables you to locate every asset containing a malicious dependency and\r\nprioritize remediation efforts effectively.\r\nFigure 6. Cloud Security Explorer query\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If\r\nhttps://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/\r\nPage 10 of 11\n\nthe TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the\r\nMicrosoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. \r\nIndicators of compromise   \r\nIndicator Type Description First seen Last seen\r\n setup_bun.js\r\n File\r\nname\r\nMalicious script that\r\ninstalls the Bun runtime\r\n November\r\n24, 2025\r\nDecember 1,\r\n2025\r\nbun_environment.js\r\nFile\r\nname\r\nScript that facilitates\r\ncredential gathering and\r\nexfiltration\r\nNovember 24,\r\n2025\r\nDecember 1,\r\n2025\r\nReferences\r\nhttps://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains\r\nLearn more  \r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn, X\r\n(formerly Twitter), and Bluesky.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast.\r\nSource: https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against\r\n-the-supply-chain-attack/\r\nhttps://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/"
	],
	"report_names": [
		"shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-29T06:58:57.977922Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1777429323,
	"ts_updated_at": 1777450876,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7372f5a23c62fa9d747eb2e586de6e67572bb064.pdf",
		"text": "https://archive.orkl.eu/7372f5a23c62fa9d747eb2e586de6e67572bb064.txt",
		"img": "https://archive.orkl.eu/7372f5a23c62fa9d747eb2e586de6e67572bb064.jpg"
	}
}