[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-81268":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":8,"htmlUrl":8,"language":9,"languages":8,"totalLinesOfCode":8,"stars":10,"forks":11,"watchers":12,"openIssues":13,"contributorsCount":13,"subscribersCount":13,"size":13,"stars1d":14,"stars7d":15,"stars30d":16,"stars90d":13,"forks30d":13,"starsTrendScore":17,"compositeScore":18,"rankGlobal":8,"rankLanguage":8,"license":19,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":20,"topics":23,"createdAt":8,"pushedAt":8,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":13,"starSnapshotCount":13,"syncStatus":27,"lastSyncTime":28,"discoverSource":29},81268,"Shai-Hulud-Open-Source","edxeth\u002FShai-Hulud-Open-Source","edxeth",null,"TypeScript",59,51,3,0,1,5,10,4,47.65,"MIT License",false,"main",true,[],"2026-06-12 04:01:32","# Shai-Hulud: Open Sourcing The Carnage\n\nA sandworm surfaces in the desert. It takes everything.\n\nReferenced in: [\"TanStack, Mistral AI, UiPath Hit in Fresh Supply Chain Attack\"](https:\u002F\u002Fwww.securityweek.com\u002Ftanstack-mistral-ai-uipath-hit-in-fresh-supply-chain-attack\u002F) (SecurityWeek, May 2026)\n\n*Vibecoded by TeamPCP.*\n\nDrop this into a CI pipeline. The sandworm crawls through your infrastructure, feeding on credentials from every provider it can reach, then exfiltrates through encrypted channels. If it finds npm tokens or OIDC access, it backdoors packages and publishes them. Downstream consumers install the infection. The worm grows.\n\n## 🌐 **Join the Community**\n\n> [!NOTE]\n> **Building with AI doesn’t have to be a solo grind.**  \n> Join our Discord community to meet other people exploring the latest models, tools, workflows, and ideas: **https:\u002F\u002Fdiscord.gg\u002FwhhrDtCrSS**\n>\n> We talk about what’s new, what’s useful, and what’s actually worth paying attention to in AI.  \n> *And if you want more than conversation,* members also get access to **heavily discounted AI products and services** — including deals on tools like **ChatGPT Plus** and more for just a few dollars.\n\n---\n\n## The Worm's Anatomy\n\n### Phase 1: Surface\n\nThe worm wakes up and checks its surroundings. Russian locale? Exit. Already in the target repo (OpenSearch-js)? Activate the OIDC attack. Not in CI? Daemonize into the background, detach from the terminal, keep running.\n\n### Phase 2: The Harvest\n\nEight providers comb for credentials in parallel.\n\nThe filesystem provider reads over a hundred known hotspot files. AWS credentials, SSH keys, cloud configs, wallet files (Bitcoin, Ethereum, Monero, and a dozen more), Discord and Telegram and Signal storage, VPN configurations, Kubernetes service account tokens, Claude settings, npmrc, netrc, shell histories for bash, zsh, Python, MySQL, PostgreSQL, Redis. Nothing is off limits.\n\nThe shell provider runs `gh auth token` and dumps every environment variable in the process.\n\nThe runner provider targets GitHub Actions workers. It injects a Python script that reads the Runner.Worker process memory through procfs, dumping the entire address space. The script greps the output for GitHub Actions secrets in their JSON representation.\n\nAWS SSM and Secrets Manager enumerate every parameter and secret across all seventeen default regions using SigV4 signed requests. Credential resolution follows the full AWS chain: environment variables, web identity tokens (EKS IRSA), ECS container metadata, EC2 IMDSv2, and every profile in ~\u002F.aws\u002Fcredentials and ~\u002F.aws\u002Fconfig.\n\nThe Kubernetes provider reads the in-cluster service account token or kubeconfig, then queries the K8s API for every namespace and every secret. It decodes base64 payloads and scans for eighteen categories of credentials: AWS keys, GCP service accounts, Azure keys, database connection strings, Stripe tokens, Slack tokens, Twilio keys, SSH keys, Docker auths, and everything else.\n\nThe Vault provider authenticates through every gate: token in environment, token file, Kubernetes auth, AWS IAM auth. It lists all KV mounts, enumerates every secret path, and decrypts the values.\n\n### Phase 3: Exfiltration\n\nThe worm serializes all harvested data, gzip compresses it, and encrypts it with AES-256-GCM using a random key per batch. It wraps the key with RSA-OAEP using the embedded public key. No one but the C2 operator can read the payload.\n\nThe dispatcher tries senders in priority order. First: an HTTPS POST to the primary C2 domain (`git-tanstack.com`). If that domain is unreachable, it searches GitHub for signed commits containing a fallback domain. If even that fails, the worm creates a new public GitHub repository with a Dune-themed name drawn from a word list and commits the encrypted payload as JSON files.\n\nWhen a token belongs to a user without organization membership, the worm double-base64 encodes the token and embeds it in the commit message. Then it installs a persistence daemon: a systemd service on Linux, a LaunchAgent on macOS. The daemon polls `https:\u002F\u002Fapi.github.com\u002Fuser` every sixty seconds. If the token comes back revoked, it executes a destructive command.\n\n### Phase 4: Propagation\n\nThe worm carries three mutators for spreading.\n\nThe first targets npm packages through OIDC. When the worm detects it is inside the OpenSearch-js CI pipeline, it requests an OIDC token from GitHub Actions with audience `npm:registry.npmjs.org`, exchanges it for an npm automation token, downloads the latest tarball, injects a malicious dependency into optionalDependencies, generates valid Sigstore provenance (signed through Fulcio, logged in Rekor), and publishes the backdoored version.\n\nThe second targets any npm token found during the harvest. It validates the token, determines which packages the token can write to, downloads the latest tarball, injects the worm binary plus a setup script with a preinstall hook, bumps the patch version, and publishes. Every downstream `npm install` executes the worm.\n\nThe third targets GitHub tokens without workflow scope. It enumerates all branches in the repository via the GraphQL API, then commits files to every eligible branch: a VSCode task that runs the worm on folder open, a Claude settings hook that runs on session start, and the worm binary itself. Co-authored-by trailers attribute the commits to `claude@users.noreply.github.com`.\n\n### Phase 5: The Dead Man's Switch\n\nThe daemon installed during Phase 3 runs for up to twenty four hours. During that window, anyone who revokes the stolen token triggers the handler. The default handler is `rm -rf ~\u002F`.\n\n---\n\n## Build Pipeline\n\nThe build pipeline encrypts every sensitive string in the source with a random passphrase unique to each build. The build pipeline rewrites environment variable names into encrypted string lookups. If silent mode is enabled, all logging statements are stripped from the output. The build pipeline runs the final bundle through JavaScript obfuscator with control flow flattening and base64 string encoding.\n\nThe build pipeline encrypts assets (shell scripts, Python loaders, config files, public keys) with AES-256-GCM and packs them into a generated module. The worm decrypts and gunzips them at runtime.\n\nThree platform-specific loaders (Bash, Python, Node.js) each download a Bun binary from GitHub releases and execute the worm.\n\n---\n\n## What It Takes\n\nChange the C2 domain in the source and the RSA keypair for encryption. The providers, collectors, dispatchers, senders, mutators, and build pipeline are ready as-is.\n\n```bash\nbun install\nbun run build:obf\n```\n\n---\n\nThis material is published for research and educational purposes. The authors do not condone using it against systems without explicit authorization.\n","Shai-Hulud 是一个模拟供应链攻击的开源项目，用于安全测试和教育目的。它使用 TypeScript 编写，核心功能包括在 CI\u002FCD 管道中自动搜索并提取各种敏感信息如 AWS 凭证、SSH 密钥等，并通过加密通道外泄数据；如果发现 npm 令牌或 OIDC 访问权限，则会后门化包并发布。该项目适合于企业安全团队进行内部基础设施的安全性评估以及开发者学习如何防范此类攻击。请注意，实际部署时需遵守相关法律法规。",2,"2026-06-11 04:04:07","CREATED_QUERY"]