Shai-Hulud Malicious GitHub Workflow Creation

Mar 29, 2026 · attack.persistence attack.credential-access attack.t1552.001 attack.collection attack.t1119 detection.emerging-threats ·

Share on:

Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets

Sigma rule (View on GitHub)

 1title: Shai-Hulud Malicious GitHub Workflow Creation
 2id: 0aba5685-6db6-486f-88ef-29a99c545cfd
 3status: experimental
 4description: Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets
 5references:
 6    - https://www.safetycli.com/blog/shai-hulud-npm-attack-runs-malicious-github-action
 7author: Swachchhanda Shrawan Poudel (Nextron Systems)
 8date: 2025-09-24
 9modified: 2026-01-24
10tags:
11    - attack.persistence
12    - attack.credential-access
13    - attack.t1552.001
14    - attack.collection
15    - attack.t1119
16    - detection.emerging-threats
17logsource:
18    product: linux
19    category: file_event
20detection:
21    selection:
22        TargetFilename|endswith:
23            - '.github/workflows/shai-hulud-workflow.yaml'
24            - '.github/workflows/shai-hulud-workflow.yml'
25            - '.github/workflows/shai-hulud.yaml'
26            - '.github/workflows/shai-hulud.yml'
27    condition: selection
28falsepositives:
29    - Unlikely
30level: high

References

Safety - The AI Development Security Platform

Safety gives security teams real-time visibility and governance over every AI tool, package, MCP server, and IDE extension across their developer fleet.

Read More

Shai-Hulud Malicious GitHub Workflow Creation

Sigma rule (View on GitHub)

References

Safety - The AI Development Security Platform

Related rules