The distinction between "code security" and "cloud security" has evaporated. In late 2025, the "Shai-Hulud" campaigns demonstrated a significant evolution in adversary tradecraft: the weaponization of the open-source ecosystem to launch self-propagating worms that pivot from development environments to cloud control planes. This talk dissects the anatomy of this campaign, which compromised over 25,000 repositories and 350 organisations. We will provide a deep dive into the adversary’s use of automation to scale infections at a rate of 1,000 repositories every 30 minutes, their use of "cross-victim exfiltration" to obfuscate attribution, and the deployment of novel persistence mechanisms like GitHub Discussion backdoors. Attendees will gain a technical understanding of how supply chain attacks have shifted from static malicious packages to dynamic, environment-aware worms.

Summary & Tactical Analysis:

1. Shift in Focus: The CI/CD Pipeline as the Primary Target
   Traditional adversary models assume the target is a production server or a developer laptop. Our analysis of the Shai-Hulud infection data reveals a decisive shift in adversary focus toward the build pipeline.
   • Environment Fingerprinting: We analysed the malware’s execution logic, discovering distinct behavioural branches based on the environment. The malware checks environment variables (e.g., process.env.GITHUB_ACTIONS, process.env.BUILDKITE) to determine if it is running in a CI environment.
   • Synchronous Execution: In CI environments, the malware forces synchronous execution to ensure payload delivery completes before the ephemeral runner terminates. This "environment awareness" represents a maturation in supply chain malware, designed specifically to exploit the trust implicit in automated build processes.

2. Tactical Evolution: Automation and Speed
   The Shai-Hulud campaign is a case study in how adversaries are using automation to outpace human response teams.
   • The Velocity of Compromise: Incident data shows that the worm replicated at a rate of approximately 1,000 new malicious repositories every 30 minutes.
   • AI-Generated Payloads: Forensic analysis of the malicious scripts (setup_bun.js) suggests the adversary utilised AI to generate payload variations. We observed distinct stylistic patterns - some seemingly AI-generated, others copy-pasted - indicating the adversary is using LLMs to lower the barrier to entry and rapid-fire polymorphic code to evade static analysis.

3. New Tradecraft: Cross-Victim Exfiltration
   Perhaps the most significant shift in behavior observed is the technique of "Cross-Victim Exfiltration," which complicates attribution and takedowns.
   • The Tactic: Rather than exfiltrating data to a single attacker-controlled server, the worm utilised the credentials of Victim A to create a public repository, which then served as the exfiltration drop-site for Victim B’s secrets.
   • The Impact: This technique turns victim infrastructure into part of the attack distribution network. Defenders looking for "unusual outbound traffic" to known bad IP addresses failed to detect the exfiltration because the traffic was directed toward legitimate, high-reputation GitHub domains owned by other compromised organisations.

4. Novel Persistence: The "Discussion" Backdoor
   The presentation will detail a previously unseen persistence mechanism discovered during our reverse engineering of the Shai-Hulud payload.
   • Mechanism: The malware injects a workflow file (discussion.yaml) that triggers only when a new "Discussion" is created in the repository.
   • Implication: This allows the adversary to re-execute arbitrary code on the compromised machine simply by posting a comment in the repository's discussion tab, bypassing standard triggers like push or pull_request that are more heavily monitored. While we successfully validated this exploit in a lab setting, it represents a dangerous evolution in "living off the land" within SCM platforms.

Conclusion:
The Shai-Hulud campaign signals that adversaries have successfully bridged the gap between code repositories and cloud runtime environments. By analysing these shifts - from environment-aware execution to cross-victim obfuscation - defenders can better anticipate the next generation of automated supply chain threats.

Sources:
https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
https://www.wiz.io/blog/shai-hulud-2-0-aftermath-ongoing-supply-chain-attack
https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
https://www.wiz.io/blog/github-attacks-pat-control-plane