惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

有赞技术团队
有赞技术团队
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
aimingoo的专栏
aimingoo的专栏
IT之家
IT之家
G
Google Developers Blog
爱范儿
爱范儿
博客园 - 司徒正美
Recent Announcements
Recent Announcements
The Register - Security
The Register - Security
J
Java Code Geeks
The Cloudflare Blog
M
MIT News - Artificial intelligence
Apple Machine Learning Research
Apple Machine Learning Research
Microsoft Security Blog
Microsoft Security Blog
博客园 - Franky
雷峰网
雷峰网
酷 壳 – CoolShell
酷 壳 – CoolShell
Blog — PlanetScale
Blog — PlanetScale
Vercel News
Vercel News
宝玉的分享
宝玉的分享
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
B
Blog
小众软件
小众软件
Microsoft Azure Blog
Microsoft Azure Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
WordPress大学
WordPress大学
T
Troy Hunt's Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
H
Hacker News: Front Page
H
Help Net Security
S
Security @ Cisco Blogs
V
V2EX
Security Archives - TechRepublic
Security Archives - TechRepublic
Stack Overflow Blog
Stack Overflow Blog
O
OpenAI News
L
LINUX DO - 最新话题
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
S
Secure Thoughts
Help Net Security
Help Net Security
F
Full Disclosure
博客园 - 叶小钗
The Hacker News
The Hacker News
Spread Privacy
Spread Privacy
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Jina AI
Jina AI
K
Kaspersky official blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
V
Vulnerabilities – Threatpost
P
Privacy International News Feed
Scott Helme
Scott Helme

Vectra AI Blog

Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Why You Need an NDR to Protect Your Modern Network Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI named in Gartner hype cycle for security operations 2025 Vectra AI Vectra AI Vectra AI How Sanofi Detected and Stopped a Cyberattack How MITRE ATLAS Helps Detect LLM Attacks in Cloud AI Detecting Iranian APT identity attacks across hybrid environments Vectra AI Vectra AI Vectra AI Breaking down the axios supply chain incident Vectra AI Vectra AI Who’s Doing What on Your Network? FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access Detecting Compromise After the Axios Supply Chain Attack. Vectra AI Vectra AI Vectra AI AI Is Now the Attack Surface: Why Your Security Stack Must Adapt Fast Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How attackers use Brute Ratel (BRC4) Vectra AI Vectra AI Vectra AI The Cutting Edge: AI’s Inevitable Rise in Offensive Security Vectra AI Vectra AI Is AI the Right Tool to Defend Against Modern Cyberattacks? Vectra AI Vectra AI Vectra AI Turns Out Network Security Is Cool Again – and It’s Called NDR Vectra AI Vectra AI Vectra AI Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Vectra AI Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR) Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Challenges in Microsoft Log Monitoring: Insights for Your SOC Vectra AI Platform Visualizes Multi-domain Modern Attacks with Attack Graphs Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Gartner Security and Risk Conference – Chaos meets Opportunity Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) Presenting the 2025 Vectra AI Scholars Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) - Why Vectra AI Stands Tall Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How Black Basta Turned Public Data into a Breach Playbook Play’s New Tactics Bypass Traditional Defenses. Are You Ready? Charting a New Era of Network Security: Vectra AI at the Forefront Unlocking Operational Efficiency: How Vectra AI Drives 40% Gains in SOC Performance and 391% ROI Identity-Centric Attacks: The New Reality for UK Retail CISA Flags Fast Flux as a National Threat: Are You Covered? AI Agents: What Do They Mean in Cybersecurity?
Vectra AI
Zoey Chu · 2025-11-26 · via Vectra AI Blog

Update May 2026: GTIG's May 2026 AI threat tracker confirms the same pattern at a broader scale. TeamPCP (UNC6780) compromised GitHub repositories and PyPI packages for Trivy, Checkmarx, LiteLLM, and BerriAI, embedding the SANDCLOCK credential stealer to extract AWS keys and GitHub tokens from affected build environments. The stolen credentials were monetized through ransomware and extortion partnerships. The mechanics are familiar: trusted dependency, automatic execution, credential harvest, lateral reuse. The TanStack campaign introduced a technique this post doesn't cover. [Part 2 is here.]

---

In September I published an article about the NPM incident and why the initial exploit is only the starting point of an attack.

That attack was targeted and fairly straightforward. A maintainer was phished, a few packages were poisoned, and the goal was limited to stealing crypto.

Shai-Hulud takes a very different approach. It doesn’t rely on a victim clicking anything and it doesn’t stop at the initial machine it lands on. Instead, it uses the trust built into the software ecosystem to move from one environment to the next. In doing so, it turns the supply chain itself into a distribution network.

A Worm Hidden In Plain Sight

Wiz Research just published an excellent breakdown of the technical behaviors behind Shai-Hulud, here is a quick recap of how this worm works in practice:

1. Installation becomes execution

The moment a developer or CI pipeline installs an infected package, the payload runs automatically. There is no prompt or obvious indicator that anything unusual is happening. The worm hides inside routine build steps, which is why the initial execution goes unnoticed.

2. It steps around common security controls by switching runtimes

Most JavaScript development relies on Node.js, the engine behind npm and the one most teams monitor. Security tooling, logging, and scanning are built around Node.

Shai-Hulud avoids this by downloading and running its payload with Bun, a newer, high-performance runtime that isn’t commonly monitored. To the system, Bun looks like another developer tool. To the attacker, it is a quiet lane with far fewer controls.

This simple runtime shift helps the worm bypass many of the guardrails teams expect to rely on.

3. It collects any access it can find

Once running, the malware systematically searches for access. It looks for:

  • NPM tokens
  • GitHub credentials
  • CI/CD secrets
  • API keys
  • Cloud credentials from metadata services

Developer laptops, build servers, and cloud machines are treated the same. If a system has access, the worm collects it.

4. It leaks the stolen data in public by design

Instead of sending data back to a command-and-control server, the worm creates public GitHub repositories under the victim’s account and uploads the stolen secrets there. This eliminates the need for hidden infrastructure and leaves sensitive credentials exposed to anyone who knows where to look.

As Dmitriy put it during the podcast we recorded on Shai Hulud: “It’s like broadcasting stolen intel over public radio.

5. It spreads using the victim’s existing trust

If a compromised maintainer manages several packages, Shai-Hulud republishes malicious versions across all of them. If a GitHub token gives access to multiple repositories, those repositories become the next injection points. The worm grows by riding the trust the victim already has in the ecosystem. That’s how it scales from a handful of packages to hundreds.

6. It plants a persistent backdoor through GitHub Actions

The malware installs a self-hosted GitHub Actions runner on the victim’s machine and drops a workflow that triggers whenever someone opens a GitHub Discussion. This gives the attacker a quiet and durable foothold.

Commands executed through a discussion thread run directly on the compromised system while blending in with normal automation.

7. It carries a wiper for destructive fallback

Under certain conditions, the malware can wipe files from the host. Not every environment would trigger this, but the capability adds another layer of risk: the attack isn’t limited to theft; it also has the potential to disrupt development entirely.

The Deeper Issue: Supply Chains Spread Trust Faster Than Defenders Can Monitor It

Everything Shai-Hulud does aligns with normal development and automation workflows:

  • installing dependencies
  • running scripts
  • publishing packages
  • talking to GitHub
  • querying cloud APIs

None of these behaviors are suspicious on their own. They are everyday operations.

This is what makes the worm effective. It doesn’t behave like malware. It behaves like development, and it relies on the trust that development workflows inherit by default:

  • Developer machines hold long-lived tokens
  • CI pipelines run code automatically
  • Cloud roles carry broad permissions
  • Source control acts as both collaboration platform and automation engine.

Shai-Hulud simply follows the trust.

Seeing The Worm Through Behavior, Not Signatures

Modern supply-chain attacks reveal themselves through patterns of activity rather than static indicators. Shai-Hulud leaves signals such as:

  • A GitHub token creating dozens of repos out of nowhere
  • A CI runner reading cloud secrets at a volume that doesn't match its job
  • A workstation suddenly running a new automation runner
  • A cloud key using services it has never touched
  • A machine uploading large amounts of data to GitHub

Each action is ordinary. The sequence is not. This is where Vectra AI ties into the story. The platform doesn’t try to block package installations. It watches what happens after code runs, across identity systems, networks, and cloud environments. It correlates unusual account activity, unexpected data movement, and cloud actions that don’t fit established patterns. That context helps security teams see the full attack chain instead of a scattering of isolated events. And in supply-chain incidents like Shai-Hulud, context is everything.

In May 2026, TeamPCP returned with a campaign that added a step the behavioral signals above won't catch: extracting live OIDC tokens from GitHub Actions runner memory to obtain legitimate Sigstore certificates for poisoned packages. The provenance check passes. Part 2 covers why, and what detection actually looks like for that technique.

If you want to see how the Vectra AI platform works in practice, you can explore it in our self-guided demo.