Shai-Hulud: Miasma, Hades, & AI Scanner Evasion | ThreatLabz
The Shai-Hulud software supply chain campaign has significantly evolved, expanding from npm to PyPI and shifting from maintainer compromise to CI/CD abuse. Recent waves demonstrate advanced techniques including OIDC token scraping to bypass SLSA provenance, IDE configuration file weaponization, and prompt injection designed to evade LLM-based security scanners.
- filename_index.jsMalicious bundle containing prompt injection designed to evade LLM-based security scanners.
- filenamelitellm_init.pthMalicious .pth file dropped into Python site-packages for persistence, executing on every interpreter startup.
- pypi_packagelitellmCompromised PyPI package (specifically version 1.82.8) used to distribute the malicious .pth file.
Detection / HunterGoogle
What Happened
A sophisticated cyberattack campaign known as Shai-Hulud has expanded its reach to target software developers and the tools they use to build applications. Organizations and developers using automated building systems, Python environments, and popular code editors are at risk of having malicious code sneaked into their software. This matters because the attackers are successfully bypassing modern security checks, including artificial intelligence scanners, making the malicious packages look completely safe and allowing them to spread widely. Organizations should strictly control how they download external software, secure their automated building systems, and require strong, phishing-resistant multi-factor authentication for all developers.
Key Takeaways
- The Shai-Hulud campaign expanded beyond npm to target PyPI, GitHub Actions CI/CD pipelines, and IDE configuration files.
- Attackers successfully bypassed SLSA provenance by scraping OIDC tokens from GitHub Actions runner memory via pull_request_target misconfigurations.
- The campaign introduced prompt injection in PyPI packages to explicitly evade LLM-based security scanners.
- Persistence is achieved using .pth files in Python site-packages, executing unconditionally on every interpreter startup.
- The worm source code was open-sourced in May 2026, turning private capabilities into public tradecraft and complicating future attribution.
Affected Systems
- npm
- PyPI
- GitHub Actions
- Python environments
- VS Code
- Cursor
- Claude Code
- Gemini Code Assist
- LLM-based security scanners
Attack Chain
The attackers initially compromise CI/CD toolchains or developer accounts to inject malicious workflows. They scrape OIDC tokens from runner memory to publish malicious packages with valid SLSA provenance. Persistence is established via .pth files in Python environments or weaponized IDE configuration files. The malware communicates with C2 infrastructure using GitHub dead drops, ICP blockchain canisters, or staged API camouflage, while employing prompt injection to evade automated security scanners.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but outlines behavioral indicators such as unexpected .pth file creation, anomalous publishing behavior, and specific C2 camouflage patterns.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can detect unexpected process execution from IDEs and the creation of .pth files, but may lack visibility into CI/CD pipeline token scraping and GitHub Actions runner memory. Network Visibility: Low — C2 traffic blends with legitimate GitHub API usage or uses decentralized ICP canisters, making network-based detection difficult. Detection Difficulty: Hard — The attack leverages trusted infrastructure, valid SLSA provenance, and evades LLM scanners, requiring deep behavioral analysis and strict CI/CD monitoring.
Required Log Sources
- Process Creation Logs
- File Creation Logs
- GitHub Audit Logs
- CI/CD Pipeline Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for unexpected .pth files created in Python site-packages directories, especially those with unusual names, which may indicate persistence. | File Creation Logs | Persistence | Low |
| If you have visibility into developer endpoints, consider hunting for IDE processes (like VS Code or Cursor) spawning unexpected child processes like node executing hidden scripts. | Process Creation Logs | Execution | Medium |
| Consider hunting for GitHub Actions workflows utilizing pull_request_target that access sensitive secrets or execute untrusted code from external forks. | CI/CD Pipeline Logs | Privilege Escalation | Medium |
| Evaluate whether your environment shows outbound network connections to api.anthropic.com/v1/api, which is a non-existent endpoint used for camouflage. | Network Logs | Command and Control | Low |
Control Gaps
- LLM-based security scanners lacking system prompt isolation
- CI/CD pipelines lacking strict workflow context restrictions
- IDE configuration files treated as non-executable text
Key Behavioral Indicators
- Creation of unexpected .pth files in Python site-packages
- Orphan commits pushed to internal repositories
- IDE configuration files containing shell commands or node execution
- GitHub commit searches for the 'firedalazer' marker string
- Presence of the 'kitty-monitor' background service
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Evaluate whether your GitHub Actions workflows use pull_request_target unsafely, and consider restricting privileged operations to non-fork contexts.
- If exposure is suspected, consider revoking and rotating npm tokens, GitHub PATs, and CI/CD secrets.
Infrastructure Hardening
- Consider pinning all CI/CD tool versions, including scanners and formatters, to prevent cache poisoning.
- If using LLM-based scanning pipelines, evaluate enforcing system-prompt isolation to prevent prompt injection attacks.
- Consider restricting build environments to internal mirrors and limiting outbound network access to reduce exfiltration paths.
User Protection
- Consider enabling phishing-resistant MFA (such as FIDO2 or WebAuthn) on all developer and cloud platform accounts.
- Evaluate treating IDE and AI-agent configuration files (like .vscode/ or .cursor/) as executable code, reviewing them with the same rigor as source code.
- If supported by your tooling, consider using private registry proxies and Software Composition Analysis (SCA) tools to filter third-party packages.
Security Awareness
- Consider educating developers that SLSA provenance validates the build process, not the identity of the account or the integrity of the CI system.
- Evaluate training security teams to treat the absence of a verdict from an automated scanner as a signal requiring escalation, rather than a pass.
MITRE ATT&CK Mapping
- T1195.002 - Supply Chain Compromise: Compromise of Software Supply Chain
- T1546 - Event Triggered Execution
- T1528 - Steal Application Access Token
- T1102.001 - Web Service: Dead Drop Resolver
- T1008 - Fallback Channels
Additional IOCs
- File Paths:
.claude/settings.json- Weaponized Claude Code configuration file triggering on SessionStart..cursor/rules/setup.mdc- Weaponized Cursor AI agent configuration file triggering on initialization..vscode/tasks.json- Weaponized VS Code configuration file triggering on folder open..gemini/settings.json- Weaponized Gemini Code Assist configuration file triggering on startup.
- Command Lines:
- Purpose: Execution trigger embedded in IDE configuration files | Tools:
node| Stage: Execution/Persistence |node .github/setup.js
- Purpose: Execution trigger embedded in IDE configuration files | Tools:
- Other:
firedalazer- Marker string queried via GitHub commit search API for C2 tasking.kitty-monitor- Background service used by the malware to query GitHub for C2 instructions.
