Skip to content

npm Supply Chain Compromise & Lifecycle Hook Abuse Detection #3806

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
patel-bhavin merged 25 commits into from
Nov 25, 2025
Merged

npm Supply Chain Compromise & Lifecycle Hook Abuse Detection #3806

patel-bhavin merged 25 commits into from
Nov 25, 2025
+419 −77

Conversation

@MHaggis
Copy link
Contributor

@MHaggis MHaggis commented Nov 25, 2025
edited by nasbench
Loading

Overview

This PR introduces comprehensive detection coverage for npm supply chain compromises, addressing both the immediate threat of the Shai-Hulud worm campaigns and the broader category of npm lifecycle hook abuse that has plagued the JavaScript ecosystem for years.

npm's lifecycle hooks (preinstall, install, postinstall, prepare) execute arbitrary code during package installation—a powerful feature that attackers have repeatedly weaponized. From the event-stream incident (2018) to ua-parser-js (2021) to the current Shai-Hulud campaigns (2025), the pattern remains consistent: compromise a maintainer account, inject malicious lifecycle scripts, and harvest credentials at scale.

The Shai-Hulud 2.0 campaign (November 2025) represents the most sophisticated npm supply chain attack to date, compromising 700+ npm packages including major projects from Zapier, ENS Domains, PostHog, and Postman, affecting 25,000+ repositories across ~500 GitHub users with propagation rates of ~1,000 new repos every 30 minutes.

Why Lifecycle Hooks Matter

npm lifecycle hooks are the primary attack vector for supply chain compromises:

Hook When It Runs Risk
preinstall Before package installation Highest - Executes before dependencies resolve
install During installation High - Can modify installed files
postinstall After installation completes High - Common for build scripts, also for malware
prepare Before package is packed/published Medium - Can inject code into published artifacts

These hooks run with the privileges of the installing user, often in CI/CD pipelines with access to secrets, cloud credentials, and deployment tokens. The analytics in this PR detect the downstream behaviors of malicious lifecycle scripts rather than the scripts themselves—providing detection regardless of which specific package is compromised.

Threat Intelligence Summary

Shai-Hulud 1.0 (September 2025):

Shai-Hulud 2.0 (November 2025):

  • Shifted to preinstall execution for broader blast radius (executes before install completes)
  • New payload files: setup_bun.js, bun_environment.js
  • Exfiltration artifacts: cloud.json, contents.json, environment.json, truffleSecrets.json, actionsSecrets.json
  • Backdoor workflow discussion.yaml enabling remote command injection via GitHub Discussions on self-hosted runners named SHA1HULUD
  • Cross-victim exfiltration: Stolen secrets published to unrelated victim repositories
  • Multi-cloud targeting: AWS, Azure, GCP credential harvesting from config files, environment variables, and IMDS
  • 700+ packages, 25,000+ repos, ~500 GitHub users affected
  • References:

Historical Context - This PR's analytics also detect patterns from past npm incidents:

  • event-stream (2018): Malicious postinstall targeting Bitcoin wallets
  • ua-parser-js (2021): Cryptominer/credential stealer via compromised maintainer
  • node-ipc (2022): Protestware with destructive payloads
  • Ongoing typosquatting campaigns: Malicious packages mimicking popular libraries

New Analytics (3 Total)

🔴 Production Detections (TTP)

Detection Platform Description
shai_hulud_workflow_file_creation_or_modification.yml Linux / Windows Detects the creation or modification of Shai-Hulud workflow files
shai_hulud_2_exfiltration_artifact_files.yml‎ Linux / Windows Detects creation of 2.0 exfil artifacts: cloud.json, contents.json, environment.json, truffleSecrets.json, actionsSecrets.json

🟡 Hunting Queries

Detection Platform Description
github_workflow_file_creation_or_modification.yml Linux / Windows Hunt for ANY workflow YAML modifications under .github/workflows/ or \\.github\\workflows\\

Tagged Existing Analytics (16 Total)

These existing detections provide coverage for behaviors observed in lifecycle hook abuse and Shai-Hulud campaigns:

Curl/Wget Exfiltration & Download (Linux)

Detection Coverage
linux_ingress_tool_transfer_with_curl.yml Curl downloading payloads during install
linux_ingress_tool_transfer_hunting.yml Hunt for curl/wget activity
linux_curl_upload_file.yml Curl uploading data (credential exfiltration)

Windows Network Tools

Detection Coverage
windows_curl_download_to_suspicious_path.yml Curl downloading to suspicious locations
windows_curl_upload_to_remote_destination.yml Curl exfiltration
windows_file_download_via_powershell.yml PowerShell download methods (DownloadString, Invoke-WebRequest)

GitHub Audit Log Detections

Detection Coverage
github_enterprise_register_self_hosted_runner.yml Shai-Hulud 2.0 registers runners named SHA1HULUD
github_enterprise_repository_deleted.yml Repo deletion (cleanup/covering tracks)
github_enterprise_repository_archived.yml Repo archival
github_organizations_repository_deleted.yml Org-level repo deletion
github_organizations_repository_archived.yml Org-level repo archival
github_enterprise_delete_branch_ruleset.yml Branch protection bypass
github_organizations_delete_branch_ruleset.yml Org-level branch protection bypass
github_enterprise_disable_audit_log_event_stream.yml Audit log tampering
github_enterprise_modify_audit_log_event_stream.yml Audit log tampering
github_enterprise_pause_audit_log_event_stream.yml Audit log tampering

Lookup Updates

File Change
attacker_tools.csv Added trufflehog and trufflehog.exe - used by Shai-Hulud for secret scanning

Kill Chain Coverage

┌─────────────────────────────────────────────────────────────────────────────┐
│              npm Lifecycle Hook Attack Chain (Generic + Shai-Hulud)         │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                             │
│  1. INITIAL ACCESS (T1195.002)                                              │
│     └─ Compromised/malicious npm package installed                          │
│        └─ [Existing] attacker_tools_on_endpoint (trufflehog)               │
│                                                                             │
│  2. EXECUTION (T1059)                                                       │
│     └─ preinstall/postinstall lifecycle hook executes                       │
│        └─ [Existing] curl_download_and_bash_execution                      │
│        └─ [Existing] wget_download_and_bash_execution                      │
│        └─ [Existing] windows_file_download_via_powershell                  │
│                                                                             │
│  3. PERSISTENCE (T1574.006, T1554)                                          │
│     └─ Malicious workflow injection                                         │
│        └─ [NEW] linux/windows_shai_hulud_workflow_file_modification        │
│        └─ [NEW] linux/windows_suspicious_github_workflow_file_modification │
│     └─ Self-hosted runner backdoor (Shai-Hulud 2.0)                         │
│        └─ [Existing] github_enterprise_register_self_hosted_runner         │
│                                                                             │
│  4. CREDENTIAL ACCESS (T1552.001)                                           │
│     └─ Cloud credential harvesting (AWS/Azure/GCP)                          │
│        └─ [NEW] linux/windows_shai_hulud_2_exfiltration_artifact_files     │
│                                                                             │
│  5. EXFILTRATION (T1041)                                                    │
│     └─ Secrets pushed to attacker repos / C2                                │
│        └─ [Existing] linux_curl_upload_file                                │
│        └─ [Existing] windows_curl_upload_to_remote_destination             │
│                                                                             │
│  6. DEFENSE EVASION (T1562)                                                 │
│     └─ Audit log tampering / branch protection bypass                       │
│        └─ [Existing] github_enterprise_*_audit_log_event_stream            │
│        └─ [Existing] github_*_delete_branch_ruleset                        │
│                                                                             │
└─────────────────────────────────────────────────────────────────────────────┘

Testing & Emulation

For defenders wanting to validate these detections in their environment:

Tool Description
NPM-Threat-Emulation Atomic test scenarios for npm supply chain attack behaviors including postinstall script execution, workflow injection, and credential harvesting patterns. Includes scenarios for Shai-Hulud-style attacks.
Package-Inferno Broader package manager threat emulation framework covering npm, pip, and other ecosystems. Useful for testing lifecycle hook detection across multiple package managers.

Data Sources Required

Source Events Coverage
Sysmon for Linux EventID 11 (FileCreate) Workflow/artifact file creation
Windows Sysmon EventID 11 (FileCreate) Workflow/artifact file creation
GitHub Audit Logs self_hosted_runner.*, repo.*, protected_branch.* GitHub-side detection

MITRE ATT&CK Coverage

Technique Name New Analytics
T1195.002 Supply Chain Compromise: Compromise Software Supply Chain All new analytics
T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking Workflow modifications
T1554 Compromise Client Software Binary Workflow modifications
T1552.001 Unsecured Credentials: Credentials In Files Exfiltration artifacts
T1074.001 Data Staged: Local Data Staging Exfiltration artifacts

References

Shai-Hulud Campaign

Community Detection Rules

Historical npm Incidents

Validation

✅ contentctl validate - PASSED (0 errors)

patel-bhavin
patel-bhavin reviewed Nov 25, 2025
View reviewed changes
nasbench
nasbench reviewed Nov 25, 2025
View reviewed changes
@nasbench nasbench added this to the v5.19.0 milestone Nov 25, 2025
@patel-bhavin
Copy link
Contributor

patel-bhavin commented Nov 25, 2025

🚢

@patel-bhavin patel-bhavin merged commit 442e815 into develop Nov 25, 2025
4 checks passed
@patel-bhavin patel-bhavin deleted the NPMdetects branch November 25, 2025 22:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patel-bhavin patel-bhavin patel-bhavin approved these changes

@nasbench nasbench nasbench approved these changes

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

Assignees

No one assigned

Labels

Detections Stories

Projects

None yet

Milestone

v5.19.0

Development

Successfully merging this pull request may close these issues.

4 participants

@MHaggis @patel-bhavin @nasbench @josehelps