Shai-Hulud
MITREOther
Unknown
Unknown
[Shai-Hulud](https://attack.mitre.org/software/S9008) is a supply chain worm, first reported in September 2025, that spreads through code repositories, including GitHub and NPM packages. It exploits CI/CD pipeline dependencies to propagate to victims and poisons the supply chain by publishing malicious packages. Once inside a victim environment, [Shai-Hulud](https://attack.mitre.org/software/S9008) steals credentials and access tokens from compromised repository accounts and exfiltrates them to attacker-controlled servers via encoded GitHub Actions workflows.(Citation: Palo Alto Unit 42 Shai-Hulud November 2025)(Citation: Microsoft Shai-Hulud December 2025)(Citation: Socket Shai-Hulud November 2025)(Citation: Socket Shai-Hulud Trufflehog September 2025)(Citation: Aikido Shai-Hulud September 2025)(Citation: Netskope Shai-Hulud November 2025)(Citation: Wiz Shai-Hulud September 2025)
Associated Techniques (33)
| ID | ATT&CK | Tactics |
|---|---|---|
| T1027 | Obfuscated Files or Information | - |
| T1036.005 | Match Legitimate Resource Name or Location | - |
| T1036.009 | Break Process Trees | - |
| T1041 | Exfiltration Over C2 Channel | - |
| T1059.001 | PowerShell | - |
| T1059.004 | Unix Shell | - |
| T1059.007 | JavaScript | - |
| T1071.001 | Web Protocols | - |
| T1078.004 | Cloud Accounts | - |
| T1082 | System Information Discovery | - |
| T1098 | Account Manipulation | - |
| T1105 | Ingress Tool Transfer | - |
| T1119 | Automated Collection | - |
| T1195.001 | Compromise Software Dependencies and Development Tools | - |
| T1213.003 | Code Repositories | - |
Metadata
| ID: | 164697 |
| Created: | 28/04/2026 16:00 |
| Updated: | 10/05/2026 16:00 |