Shai-Hulud Campaign Abuses node-gyp Rebuild to Execute Credential-Stealing npm Payloads
ID: dd0db31e-c7f3-55d9-9837-83c24cb3f16b
STIX ID: report--dd0db31e-c7f3-55d9-9837-83c24cb3f16b
Feed Name: Cyber Press
Shai-Hulud is an active supply-chain campaign that compromised about 20 npm packages in the Leo/RStreams ecosystem, embedding shell commands in binding.gyp to execute during node-gyp rebuilds; the malware aims to harvest AWS credentials, GitHub tokens, npm keys, and other secrets from developer workstations and CI/CD pipelines. The report lists affected packages and versions, monthly download counts, notable IOC changes (new repo description and token-revocation string), and a gated execution path controlled by a SEED_PAT environment variable.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
