{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/shai-hulud/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Shai-Hulud"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["npm"],"_cs_severities":["high"],"_cs_tags":["supply-chain","npm","credential-theft","remote-code-execution"],"_cs_type":"threat","_cs_vendors":["Sonatype"],"content_html":"\u003cp\u003eThe Shai-Hulud campaign has resurfaced, focusing on compromising npm maintainer accounts to inject malicious code directly into the software supply chain. This avoids the need to exploit traditional vulnerabilities. The latest wave of attacks, observed in May 2026, targeted the Ant Design (AntV) ecosystem. Successful compromises of maintainer accounts allowed attackers to publish malicious versions of trusted packages. This resulted in downstream developers unknowingly incorporating backdoored code into their projects, potentially leading to credential theft and remote code execution within their environments. The re-emergence of Shai-Hulud highlights the ongoing risk of supply chain attacks and the importance of securing developer accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target npm package within the Ant Design (AntV) ecosystem.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to the npm account of the package maintainer, likely through credential theft or account compromise.\u003c/li\u003e\n\u003cli\u003eAttacker injects malicious code into the package\u0026rsquo;s source code, potentially targeting credential theft and remote code execution.\u003c/li\u003e\n\u003cli\u003eAttacker publishes a new, compromised version of the npm package to the npm registry.\u003c/li\u003e\n\u003cli\u003eDownstream developers unknowingly update their projects to use the compromised package version.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes within the developers\u0026rsquo; environments, potentially stealing credentials or establishing a reverse shell for remote access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis campaign has the potential to compromise numerous downstream developers who rely on the affected Ant Design (AntV) npm packages. Successful exploitation could lead to widespread credential theft, allowing attackers to pivot to other systems and resources. Remote code execution could grant attackers persistent access to developer environments, enabling further malicious activities, including supply chain attacks on other projects.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm package updates for unexpected changes in dependencies or file hashes that could indicate a compromised package (review file_event logs for npm package directories).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all npm accounts to prevent account compromise.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect suspicious network connections originating from npm-related processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T17:17:55Z","date_published":"2026-05-19T17:17:55Z","id":"https://feed.craftedsignal.io/briefs/2026-05-shai-hulud-returns/","summary":"The Shai-Hulud campaign is back and targets maintainer accounts to publish malicious code directly into the software supply chain via npm, recently hitting the Ant Design (AntV) ecosystem and potentially exposing downstream developers to credential theft and remote code execution.","title":"Shai-Hulud Campaign Returns Targeting npm Maintainer Accounts","url":"https://feed.craftedsignal.io/briefs/2026-05-shai-hulud-returns/"}],"language":"en","title":"CraftedSignal Threat Feed — Shai-Hulud","version":"https://jsonfeed.org/version/1.1"}