Shai Hulud has resurfaced.

Shai-Hulud has been discovered spreading through compromised npm packages. The malware executes hidden installation scripts during dependency installs, steals developer and cloud credentials, and attempts to self-replicate by modifying and republishing packages. In some cases, it includes destructive commands designed to wipe user environments if the malware loses access to its infrastructure.

Monitoring for unexpected installation scripts, suspicious files in node_modules, unusual directories appearing in user home paths, and destructive system commands can help detect early signs of compromise.

Detection Query :

// Detect bun environment payload drop
let EnvFileDrop =
DeviceFileEvents
| where FileName has "bun_environment.js";
// Detect execution of malicious JS stage scripts
let JSStageExec =
DeviceProcessEvents
| where ProcessCommandLine has_any ("setup_bun.js", "bun_environment.js");
// Detect suspicious bun installation pattern using curl / irm / iex
let BunInstallExec =
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe", "bash", "curl.exe", "curl")
and (
(ProcessCommandLine contains "irm bun.sh/install.ps1" and ProcessCommandLine matches regex @"(iex|invoke-expression)")
or (ProcessCommandLine contains "curl" and ProcessCommandLine contains "bun.sh/install")
);
// Detect secret scanning tool post-compromise
let SecretsScannerExec =
DeviceProcessEvents
| where FileName in~ ("trufflehog.exe", "trufflehog")
| where FolderPath contains ".truffle-cache";
// Detect cleanup or anti-forensic behavior
let CleanupWipeExec =
DeviceProcessEvents
| where (FileName =~ "cmd.exe" and ProcessCommandLine has "%USERPROFILE%"
and (ProcessCommandLine has "del /F /Q /s" or ProcessCommandLine has "cipher /w"))
or (FileName in~ ("bash", "sh") and ProcessCommandLine has "shred -uvz -n 1");
// Union of behavioral signals
union JSStageExec, BunInstallExec, SecretsScannerExec, CleanupWipeExec, EnvFileDrop
| extend DetectionCategory = case(
ProcessCommandLine has_any ("setup_bun.js", "bun_environment.js"), "Initial JS Payload Execution",
ProcessCommandLine has "bun.sh/install", "Suspicious Bun Install",
FileName has "bun_environment.js", "IOC File Drop",
ProcessCommandLine has_any ("shred", "del /F", "cipher /w"), "Cleanup / Wipe Activity",
"Unclassified"
)

Uploads five JSON files to the victim's repository

DeviceFileEvents
| where FileName in~ (
"setup_bun.js",
"bun_environment.js",
"cloud.json",
"contents.json",
"environment.json",
"truffleSecrets.json"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc

Spawns a detached Bun process running bun_environment.js with POSTINSTALL_BG=1 flag

DeviceProcessEvents
| where ProcessCommandLine contains ".js"
| where ProcessCommandLine contains "POSTINSTALL_BG=1"

Reference :

• https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/
• https://socket.dev/blog/shai-hulud-strikes-again-v2