Shai-Hulud Is Back, and This Time It Ate the Whole Ecosystem

Shai-Hulud is a widespread npm supply-chain campaign that compromised the atool account to push malicious preinstall/postinstall hooks across 300+ AntV ecosystem packages (impacting tens of millions of downloads). The payload harvests CI and local secrets (including scraping /proc memory for ACTIONS_ variables), sweeps hundreds of credential locations, exfiltrates via GitHub API dead-drops and a fallback OpenTelemetry-like C2 domain, and installs persistent VS Code/Claude backdoors; the report provides IOCs, hunt queries, detection rules, and step-by-step remediation (pin/downgrade, rotate credentials after cleanup, rebuild runners).