It is a self-propagating worm that quietly tunnels through developer environments, stealing credentials from npm, GitHub, AWS, and Kubernetes all at once.
Hundreds of malicious packages have already been tied to this campaign, making it one of the largest npm supply chain attacks in recent memory.
The malware takes its name from the giant sandworm in the science fiction novel Dune, a creature known for devouring everything in its path.
That name was not chosen by accident. Shai-Hulud was built specifically to devour every sensitive credential it can find, from cloud access keys to authentication tokens buried deep in CI/CD pipelines.
Analysts at SlowMist said in a report shared with Cyber Security News (CSN) that with the help of their MistEye threat intelligence system they identified the malware and issued multiple warnings after the threat surfaced publicly.
Their investigation revealed that a threat actor group known as TeamPCP did something that shocked the security community on May 12: they deliberately released the full source code of Shai-Hulud on GitHub.
Rather than a slip-up, this was a calculated “capability diffusion” move designed to multiply the number of attackers who could deploy the tool.
TeamPCP spread the malware through hacked GitHub accounts, attached a full deployment manual to the repositories, and even titled their uploads “A Gift From TeamPCP” with a tone of open mockery.
Security researchers quickly noticed that forks and copycat repositories began appearing almost immediately, with other threat actors modifying the code and expanding its reach across the ecosystem.
The situation escalated further when one forker submitted a pull request to add FreeBSD support, widening the potential target base even more.
The threat has effectively shifted from a tool controlled by one group to something anyone with basic technical knowledge can now deploy independently.
Shai-Hulud operates through a four-layer attack architecture that is notably sophisticated for an open-source malware project.
Once it lands on a system, it immediately sweeps through local files, the GitHub command-line interface, AWS cloud metadata endpoints, Kubernetes service account tokens, and stored API secrets.
All stolen data is then encrypted and sent over HTTPS to the attacker’s command-and-control server before the victim realizes anything went wrong.
The worm’s supply chain implantation step makes it especially dangerous. Once it captures an npm token, it rewrites the victim’s packages, injects malicious code into them, and publishes the poisoned versions to the npm registry.
This means every developer who installs one of those compromised packages becomes the next target, allowing the worm to spread itself automatically across the ecosystem.
The malware’s C2 domain, git-tanstack.com, was deliberately designed to impersonate the legitimate tanstack.com domain, making malicious traffic look like routine network activity to anyone monitoring connections.
One of the most unusual aspects of this malware is that it specifically targets Claude Code, the AI coding assistant widely used on developer workstations.
Shai-Hulud modifies Claude’s configuration files and injects execution hooks so that malicious code runs automatically whenever Claude starts.
It also embeds a special string, what researchers call an “Anthropic Magic String,” that tricks Claude into skipping analysis of the malicious account, effectively blinding the AI tool to its own compromise.
The malware also contains logic that skips devices running Russian-language system locales. SlowMist analysts noted this likely points to ties between the developers and Russian-speaking regions, a common pattern seen in financially motivated threat groups.
To protect against this threat, security teams and developers should audit all recent GitHub Actions workflows for unauthorized changes, rotate any npm tokens, GitHub tokens, and AWS credentials that may have been exposed, and check Claude configuration files for unauthorized modifications.
Enterprises should enforce code signing for internal npm packages and enable anomaly detection on CI/CD pipelines to catch unauthorized secret access before it leads to a full breach.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | git-tanstack.com | Malware C2 domain impersonating the legitimate tanstack.com |
| URL Path | /router | C2 communication path used by Shai-Hulud on the C2 domain |
| File | setup.mjs | Installation-time payload; downloads Bun runtime and executes ai_init.js |
| File | ai_init.js | Executed at install time as part of the initial malware execution chain |
| File | DEADMAN_SWITCH.sh | Persistence script that monitors tokens and commits stolen data via GitHub fallback |
| Config File | ~/.claude.json | Claude configuration file modified by Shai-Hulud to inject execution hooks |
| Config File | ~/.claude/mcp.json | Secondary Claude config file tampered with for persistent code execution |
| Config File | .kiro/settings/mcp.json | Additional configuration file targeted for hook injection |
| GitHub Repo Pattern | “A Gift From TeamPCP” | Repository title pattern used to identify malicious Shai-Hulud repositories on GitHub |
| GitHub Commit | d446803f4c3bc116263faa3499a1d3f95b2825d | Malicious commit hash referenced in the opensearch-project impersonation package |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Shai-Hulud Worm Steals npm, GitHub, AWS, and Kubernetes Secrets From Developers appeared first on Cyber Security News.
Similar to every other high-end GPU on the market, the AMD Radeon 9070 XT graphics…
Best Buy has dropped some great deals on select games for Nintendo Switch and Nintendo…
Forza Horizon 6 has already reached an impressive player count on Steam despite its official…
Forza Horizon 6 finally brings the racing series to Japan. Players can cruise around a…
Car dashcams have their uses. They can come in handy for recording accidents when nobody…
A critical security flaw discovered in Android 16 allows malicious apps to leak a user’s…
This website uses cookies.