By rssfeeds-admin Security researchers analyzing the package believe the attackers may be testing a new payload, as no widespread infections or propagation attempts have been observed yet.
New Strain Features and Key Modifications
This version exhibits clear signs of fresh obfuscation, suggesting direct access to the source code rather than simple replication.
The worm’s primary installer file is now labeled bun_installer.js, while its main payload has been renamed environment_source.js.
A structural analysis reveals new exfiltrated data files, such as 3nvir0nm3nt.json, cl0vd.json, c9nt3nts.json, pigS3cr3ts.json, and actionsSecrets.json, indicating that attackers are refining their methods for harvesting environment variables, cloud configurations, and repository secrets.
The GitHub data exfiltration behavior has also changed. Instead of the previous repository description “Sha1-Hulud: The Second Coming,” the malware now labels new repositories with the text “Goldox-T3chs: Only Happy Girl.”
This signature likely serves as a campaign tag or internal marker for operators tracking infected nodes or payload outcomes.
Aikido uncovered an operational bug in this version: the code attempts to fetch c0nt3nts.json. Still, it saves the data to c9nt3nts.json, causing a mismatch that may hinder complete payload execution and likely introduce an error during the obfuscation phase.
Technical Adjustments and Operational Behavior
Analysts note that the malware’s data-collection execution sequence has been modified. In earlier iterations, the worm saved contents.json first; in this version, exfiltration occurs in a different order, suggesting a more controlled data-handling approach.
The new build introduces improved error handling for TruffleHog, a tool Shai Hulud uses to search for exposed secrets in repositories. The updated version gracefully handles timeouts, suggesting active debugging and iterative exploitation by threat actors.
Another notable change is cross-platform publishing compatibility; the worm now adapts its package-publishing process based on the operating system.
In prior versions, its reliance on the bun tool failed on Windows, whereas the current update dynamically replaces commands with bun.exe as needed.
Encouragingly, the dead man switch a failsafe mechanism that previously triggered data deletion or self-destruction appears to have been removed, reducing the specific destructive capabilities seen in older samples.
This discovery underscores the persistence of adversarial experimentation with supply-chain infiltration methods within open-source ecosystems such as npm.
While this incident appears contained, experts warn that future iterations may further refine these tactics, underscoring the urgent need for continuous repository monitoring and automated supply-chain threat detection.
Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.
The post Threat Actors Experiment with a Modified and Highly Obfuscated Shai Hulud Strain appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.