Date: 11/26/2025
Severity: High
Summary
The team investigated a renewed npm-focused compromise known as Shai-Hulud 2.0, first revealed in early November 2025. This campaign is far larger than before, impacting tens of thousands of GitHub repositories, including over 25,000 malicious repos tied to roughly 350 unique users. Shai-Hulud 2.0 escalates software supply-chain attacks by shifting the infection point to the pre-install phase of dependencies. This allows execution without human interaction and evades static scanning tools that run later in the build process, dramatically expanding its impact. The campaign also introduces a destructive fallback mechanism capable of attempting to wipe a user’s home directory, delivered through new payloads named setup_bun.js and bun_environment.js. Stolen credentials and secrets are exfiltrated to public GitHub repositories marked with the description “Sha1-Hulud: The Second Coming.”
Indicators of Compromise (IOC) List
Domains\URLs : | https://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 |
Hash : | d60ec97eea19fffb4809bc35b91033b52490ca11
3d7570d14d34b0ba137d502f042b27b0f37a59fa
d1829b4708126dcc7bea7437c04d1f10eacd4a16
46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777
dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c
4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db
62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0
c723605455e8667a4c84327cf6b704bbdcb9b4ce3707ddddd927d32b8372ff77
2e44e8d8a8e906fd5bfbb37be08dfe2dcf1ce41bd4ba726987ab516446dfb4f1
fa7df9e9fc5390cc54e0086073fc9b3054087ffddf661bbc9f836b007fa25f20
d66343059793800e72ef17690ce26492dc854c8513905778630ff1ed4e7a81b8
981d3e2f5d7e26c93bd4b758ea722468900894fb2368db5f8399282e2414fe33
|
Filename : | .truffler-cache/ .truffler-cache/extract/ .truffler-cache/trufflehog .truffler-cache/trufflehog.exe |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7" or url like "https://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7" or siteurl like "https://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7" |
Detection Query 2 : | sha1hash IN ("d60ec97eea19fffb4809bc35b91033b52490ca11","d1829b4708126dcc7bea7437c04d1f10eacd4a16","3d7570d14d34b0ba137d502f042b27b0f37a59fa")
|
Detection Query 3 : | sha256hash IN ("62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0","4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db","46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09","b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777","dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c","c723605455e8667a4c84327cf6b704bbdcb9b4ce3707ddddd927d32b8372ff77","2e44e8d8a8e906fd5bfbb37be08dfe2dcf1ce41bd4ba726987ab516446dfb4f1","fa7df9e9fc5390cc54e0086073fc9b3054087ffddf661bbc9f836b007fa25f20","981d3e2f5d7e26c93bd4b758ea722468900894fb2368db5f8399282e2414fe33","d66343059793800e72ef17690ce26492dc854c8513905778630ff1ed4e7a81b8")
|
Detection Query 4 : | Resourcename = "Windows Security" and eventtype = "4663" and objectname IN (".truffler-cache/",".truffler-cache/extract/",".truffler-cache/trufflehog",".truffler-cache/trufflehog.exe") |
Detection Query 5 : | technologygroup = "EDR" and objectname IN (".truffler-cache/",".truffler-cache/extract/",".truffler-cache/trufflehog",".truffler-cache/trufflehog.exe") |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-11-21-IOCs-for-ShinySp1d3r-ransomware.txt
https://otx.alienvault.com/pulse/6925c63efe7a9aeb61440b43