Shai-Hulud NPM Attack GitHub Activity
Detects GitHub activity associated with the 'Shai-Hulud' NPM supply chain attack. The attack involves malicious NPM packages that use stolen GitHub tokens to create a new branch, inject a malicious workflow file to exfiltrate secrets, and make private repositories public.
Sigma rule (View on GitHub)
1title: Shai-Hulud NPM Attack GitHub Activity
2id: 69fa9174-4370-4646-8d48-6a22e2853402
3status: experimental
4description: |
5 Detects GitHub activity associated with the 'Shai-Hulud' NPM supply chain attack. The attack involves malicious NPM packages that use stolen GitHub tokens to create a new branch,
6 inject a malicious workflow file to exfiltrate secrets, and make private repositories public.
7references:
8 - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
9author: Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2025-09-24
11tags:
12 - attack.persistence
13 - attack.impact
14 - detection.emerging-threats
15logsource:
16 product: github
17 service: audit
18detection:
19 selection:
20 - 'shai-hulud-workflow.yml'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: high
References
-
An NPM attack compromised dozens of popular packages which then ran malicious GitHub actions in the compromised accounts
Read More
Related rules
- Shai-Hulud Malicious GitHub Workflow Creation
- WannaCry Ransomware Activity
- Potential SAP NetWeaver Webshell Creation
- Potential SAP NetWeaver Webshell Creation - Linux
- Suspicious Child Process of SAP NetWeaver