Shai Hulud 2.0 Campaign

Shai-Hulud 2.0 is a large-scale npm supply-chain campaign that inserted malicious preinstall scripts (e.g., setup_bun.js → bun_environment.js) into packages to ensure a Bun runtime, download a GitHub Actions runner named SHA1HULUD as a per-host C2 repository, and run tools like TruffleHog to locate and exfiltrate cloud and developer credentials; the operation targeted developer workstations, CI/CD pipelines, and cloud workloads. The report provides technical walkthroughs, hunting queries for process/network/file telemetry, MITRE mapping, IOCs (strings, filenames, behaviors), and defensive recommendations such as restricting runner tokens, monitoring npm registry activity, protecting GCP credentials, and blocking unnecessary Bun usage.