Shai-Hulud Malicious GitHub Workflow Creation

Oct 19, 2025 · attack.persistence attack.credential-access attack.t1552.001 attack.collection attack.t1119 detection.emerging-threats ·

Share on:

Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets

Sigma rule (View on GitHub)

 1title: Shai-Hulud Malicious GitHub Workflow Creation
 2id: 0aba5685-6db6-486f-88ef-29a99c545cfd
 3status: experimental
 4description: Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets
 5references:
 6    - https://www.safetycli.com/blog/shai-hulud-npm-attack-runs-malicious-github-action
 7author: Swachchhanda Shrawan Poudel (Nextron Systems)
 8date: 2025-09-24
 9tags:
10    - attack.persistence
11    - attack.credential-access
12    - attack.t1552.001
13    - attack.collection
14    - attack.t1119
15    - detection.emerging-threats
16logsource:
17    product: linux
18    category: file_event
19detection:
20    selection:
21        TargetFilename|endswith: '.github/workflows/shai-hulud-workflow.yml'
22    condition: selection
23falsepositives:
24    - Unlikely
25level: high

References

https://www.safetycli.com/blog/shai-hulud-npm-attack-runs-malicious-github-action

Read More

Shai-Hulud Malicious GitHub Workflow Creation

Sigma rule (View on GitHub)

References

https://www.safetycli.com/blog/shai-hulud-npm-attack-runs-malicious-github-action

Related rules