Supply Chain Alert: Shai-Hulud/Hades Malware Targets Leo/RStreams Ecosystem
A sophisticated supply-chain attack has been identified targeting the Leo/RStreams ecosystem, an AWS-native event streaming SDK frequently utilized in Kinesis, Firehose, Lambda, and S3-based data pipelines. The attack, attributed to the Shai-Hulud/Hades malware family, has successfully compromised 20 distinct npm packages.
While these malicious releases do not represent a radical departure from the architectural patterns seen in previous Hades or Miasma variants, they signify a high level of operational maturity. The campaign utilizes refined credential-harvesting mechanisms and updated propagation logic, alongside a new “operator-seeding” feature designed for controlled bootstrapping.
The choice of targets is particularly strategic. Leo/RStreams packages occupy a critical position within cloud-native architectures. These libraries are often executed in high-privilege environments, including developer workstations, CI/CD runners, and automated deployment pipelines. In these contexts, an npm install command may inadvertently grant the malware access to sensitive AWS keys, GitHub tokens, npm publish credentials, and other vital application secrets.
According to JFrog Security Research, the affected packages saw approximately 45,000 downloads in the month preceding analysis, highlighting the significant potential blast radius of this compromise.
Technical Analysis: Evasive Execution via binding.gyp
The attackers are leveraging a clever, evasive delivery vector: binding.gyp-based execution. In standard npm workflows, if a package includes a binding.gyp file without an explicit install script in package.json, the system falls back to node-gyp rebuild. The attackers exploit this by embedding malicious shell expressions—such as node index.js—directly within the binding.gyp sources entry.
This technique allows the payload to execute during the native module build process, effectively bypassing security scanners that focus primarily on inspecting the lifecycle scripts within package.json.
Once the payload triggers, it follows the established Shai-Hulud lineage of data exfiltration. It performs a comprehensive sweep of the host environment, targeting:
- Environment variables and shell histories
- Local files containing credentials
- GitHub CLI tokens
- Cloud provider credential files
- Package manager authentication tokens
Persistence and Exfiltration Tactics
The malware utilizes a “dead-drop” exfiltration method via GitHub. By leveraging any discovered valid token, the payload creates new repositories and commits encrypted data blobs into a results/ directory. This allows the attackers to use legitimate GitHub infrastructure to mask their command-and-control (C2) traffic.
Beyond initial theft, the malware implements robust persistence and lateral movement capabilities across multiple ecosystems, including npm, PyPI, RubyGems, and GitHub Actions. Notable components include:
- Lateral Movement Helpers: Scripts such as
ai_setup.shandai_init.js. - Dead-man Switch: A
gh-token-monitorto manage token lifecycle. - Camouflage: The use of strings like
api.anthropic.com/v1/apito mislead investigators during manual code audits.
This wave also introduces subtle changes to campaign metadata. The previous dramatic nomenclature (e.g., “Miasma – The Spreading Blight”) has been replaced with a more casual repository description: “Alright Lets See If This Works.” Additionally, a new gated SEED_PAT path has been implemented, where the payload checks if the GITHUB_REPOSITORY contains the string “Seeder” before utilizing a specific token. This appears to be a mechanism for operator-controlled bootstrapping.
Incident Response and Mitigation
Defenders should recognize that the Shai-Hulud family prioritizes behavioral consistency over constant reinvention, making it a persistent threat to CI/CD integrity. To mitigate this risk, the following actions are recommended:
- Identify and Purge: Locate and remove affected package versions from lockfiles, local caches, CI logs, and container images.
- Isolate: Quarantine any CI/CD runners or workstations suspected of executing these packages.
- Sanitize: Remove persistence hooks and suspicious workflows (e.g.,
ai_setup.sh) before proceeding to credential rotation. - Audit: Review GitHub accounts for unexpected repositories or directories named
results/. - Rotate: Perform a comprehensive rotation of all GitHub, npm, and cloud provider credentials only after the environment has been confirmed clean.
Indicators of Compromise (IOCs)
| Package | Type | Xray ID | Affected Version | Downloads (Last Month) |
|---|---|---|---|---|
leo-auth |
npm | XRAY-1009715 | 4.0.6 |
1,577 |
leo-aws |
npm | XRAY-1009716 | 2.0.4 |
5,160 |
leo-cache |
npm | XRAY-1009726 | 1.0.2 |
1,049 |
leo-cdk-lib |
npm | XRAY-1009721 | 0.0.2 |
17 |
leo-cli |
npm | XRAY-1009724 | 3.0.3 |
321 |
leo-config |
npm | XRAY-1009720 | 1.1.1 |
4,967 |
leo-connector-elasticsearch |
npm | XRAY-1009713 | 2.0.6 |
2,014 |
leo-connector-mongo |
npm | XRAY-1009714 | 3.0.8 |
1,352 |
leo-connector-mysql |
npm | XRAY-1009729 | 3.0.3 |
164 |
leo-connector-oracle |
npm | XRAY-1009718 | 2.0.1 |
72 |
leo-connector-redshift |
npm | XRAY-1009725 | 3.0.6 |
184 |
leo-cron |
npm | XRAY-1009723 | 2.0.2 |
238 |
leo-logger |
npm | XRAY-1009727 | 1.0.8 |
11,655 |
leo-sdk |
npm | XRAY-1009717 | 6.0.19 |
5,530 |
leo-streams |
npm | XRAY-1009728 | 2.0.1 |
3,761 |
rstreams-metrics |
npm | XRAY-1009731 | 2.0.2 |
1,861 |
rstreams-shard-util |
npm | XRAY-1009732 | 1.0.1 |
31 |
serverless-convention |
npm | XRAY-1009719 | 2.0.4 |
2,398 |
serverless-leo |
npm | XRAY-1009730 | 3.0.14 |
3,625 |
solo-nav |
npm | XRAY-1009722 | 1.0.1 |
7 |