VERY IMPORTANT

The Shai-hulud 2.0 campaign features an advanced malware variant that steals credentials and secrets from major cloud platforms and developer services. It automates the backdooring of NPM packages maintained by victims, enabling rapid propagation across the software supply chain. The malware targets AWS, GCP, and Azure credentials, as well as NPM tokens and GitHub authentication. It creates malicious GitHub Actions workflows for command-and-control and secret exfiltration. The campaign also leverages cloud secret management services and implements destructive failsafes. Its sophisticated tactics allow for stealthy compromise of developer ecosystems, potentially impacting thousands of downstream users.