Shai Hulud
Shai Hulud is tracked here as a malware family or toolset with 8 Sigma detections spanning 2025. Coverage centers on linux / process_creation, windows / process_creation, linux / file_event.
Shai-Hulud Malicious GitHub Workflow Creation
Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets
Shai-Hulud 2.0 Malicious NPM Package Installation
Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
Shai-Hulud Malicious Bun Execution
Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack. The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
Shai-Hulud Malicious Bun Execution - Linux
Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack. The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
Shai-Hulud Malware Indicators - Linux
Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
Shai-Hulud Malware Indicators - Windows
Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
Shai-Hulud NPM Package Malicious Exfiltration via Curl
Detects potential Shai Hulud NPM package attack attempting to exfiltrate data via curl to external webhook sites.