Shai-Hulud Supply Chain Attack Incident Response

SafeDep Team

• Sep 22, 2025 • 2 min read

The Shai-Hulud supply chain attack is a significant security incident that has caught the attention of the developer community. This attack involves the use of malicious packages in the npm ecosystem to compromise developer systems and steal sensitive information. In this post, we will outline the incident response steps that can be taken to contain and mitigate the impact of this attack.

For a detailed analysis of the attack and its implications, read more at SafeDep blog.

TL;DR

Clone the repository github.com/safedep/shai-hulud-migration-response

1
git clone https://github.com/safedep/shai-hulud-migration-response.git && \
2
cd shai-hulud-migration-response

Run the script to scan your filesystem for all open source packages using vet

1
./scripts/pv-scan.sh

Run the query script to check for known malicious package versions

1
./scripts/pv-query.sh

Run the following script to check for known malicious Javascript files by SHA256 hash

1
./scripts/pv-payload-hash-scan.sh

Incident Response Steps

If you believe you are affected by this attack, follow the steps below:

Scan your systems for indicators of compromise (IoCs) listed below
Rotate credentials available in compromised systems
Setup guardrails to prevent further compromise

Indicators of Compromise (IOCs)

SafeDep found following types of IOCs during the incident:

Malicious packages, maintained here
Malicious Javascript file checksums (SHA256), maintained here

These are the primary IOCs that are included in the scanning scripts. Following are additional IOCs observed during the incident:

Credential collection URL: hxxps://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7
/tmp/data.json used to collect credentials using TruffleHog
/tmp/processor.sh for collecting credentials
/tmp/migrate-repos.sh for stealing private source code through GitHub

Rotate Credentials

The malicious payload delivered through the attack compromised credentials available in the infected systems. Rotate all known credentials, particularly the following:

Npm credentials available in $HOME/.npmrc or $NPM_TOKEN environment variable
GitHub credentials of developers using affected systems
AWS credentials available in $HOME/.aws/credentials or $AWS_ACCESS_KEY_ID and $AWS_SECRET_ACCESS_KEY environment variables
AWS credentials available in AWS Secrets Manager that were accessible from affected systems
Google Cloud credentials and credentials stored in Google Cloud Secret Manager that were accessible from affected systems
SSH private keys, especially if they were passwordless

The malicious payload also used TruffleHog to extract secrets from source code repositories available in the infected system. Consider running TruffleHog and rotating any secrets found in infected systems.

Setup Guardrails

Install SafeDep vet or similar tools to scan open source packages for malicious code before merging pull requests or deploying code.
Install SafeDep pmg or similar tools to prevent installation of malicious packages in developer machines.
Consider migrating to pnpm version 10+ that disables npm lifecycle scripts by default