logo

Shai-Hulud Campaign Abuses node-gyp Rebuild to Execute Credential-Stealing npm Payloads

ID: dd0db31e-c7f3-55d9-9837-83c24cb3f16b

STIX ID: report--dd0db31e-c7f3-55d9-9837-83c24cb3f16b

Feed Name: Cyber Press

Threat Score
78/100

Date Published: 2026-06-25

Date Updated: 2026-06-25

Author: Varshini

...
...

Shai-Hulud is an active supply-chain campaign that compromised about 20 npm packages in the Leo/RStreams ecosystem, embedding shell commands in binding.gyp to execute during node-gyp rebuilds; the malware aims to harvest AWS credentials, GitHub tokens, npm keys, and other secrets from developer workstations and CI/CD pipelines. The report lists affected packages and versions, monthly download counts, notable IOC changes (new repo description and token-revocation string), and a gated execution path controlled by a SEED_PAT environment variable.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.