AWS Crypto Mining Campaign Exploits Compromised IAM Credentials

In Q3 2025, 44% of true-positive cloud attack alerts were traced to identity-related weaknesses. These include excessive permissions, misconfigured roles, and credential abuse. Cloud keys and credentials are often stored insecurely, leading to phishing or infostealer malware. Attackers exploit these vulnerabilities to escalate access and evade detection. Poor DevOps practices also contribute to the systematic redeployment of legacy vulnerabilities, exacerbating the issue. Organizations must address these identity and DevOps security gaps to mitigate cloud risks.

The TruffleNet attack campaign leverages stolen credentials to target AWS environments, particularly Amazon's Simple Email Service (SES). The campaign uses the open-source scanning tool TruffleHog and exploits legitimate tools like Portainer to perform reconnaissance and execute downstream business email compromise (BEC) attacks. The campaign involved over 800 unique hosts across 57 distinct Class C networks. Attackers use legitimate AWS APIs to test stolen credentials and perform reconnaissance. The campaign also includes BEC attacks targeting the oil and gas sector, using compromised WordPress sites to establish sending identities.

Botnets such as Mirai, Gafgyt, and Mozi are exploiting known vulnerabilities and cloud misconfigurations to target PHP servers, IoT devices, and cloud gateways. This trend is driven by the widespread use of PHP in web applications and the prevalence of cloud misconfigurations, which expand the attack surface. The attacks aim at remote code execution (RCE) and data theft. The vulnerabilities exploited include CVE-2022-47945 in ThinkPHP, CVE-2021-3129 in Laravel Ignition, and CVE-2017-9841 in PHPUnit. Additionally, insecure configurations and exposed AWS credentials are being targeted. IoT devices with outdated firmware and cloud-native environments are also at risk, with botnets being used for credential stuffing and password spraying campaigns. Xdebug debugging sessions are being exploited to gain insight into application behavior or extract sensitive data. The scanning activity often originates from cloud infrastructures like Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Digital Ocean, and Akamai Cloud, illustrating how threat actors are abusing legitimate services to their advantage while obscuring their true origins.

The Shai-Hulud worm, a self-replicating malware, has compromised at least 187 npm packages, affecting multiple maintainers. The attack uses a self-propagating mechanism to infect other packages by the same maintainer, modifying package.json, injecting a bundle.js script, repacking the archive, and republishing it. The malware uses TruffleHog to search the host for tokens and cloud credentials, creating unauthorized GitHub Actions workflows within repositories and exfiltrating sensitive data to a hardcoded webhook endpoint. The attack is named 'Shai-Hulud' after the shai-hulud.yaml workflow files used by the malware and follows the 's1ngularity' attack, potentially orchestrated by the same attackers. The attack unfolded in three phases, impacting 2,180 accounts and 7,200 repositories. The first phase, between August 26 and 27, directly impacted 1,700 users, leaking over 2,000 unique secrets and exposing 20,000 files. The second phase, between August 28 and 29, compromised an additional 480 accounts, mostly organizations, and exposed 6,700 private repositories. The third phase, beginning on August 31, targeted a single victim organization, publishing an additional 500 private repositories. The attackers used AI-powered CLI tools like Claude, Q, and Gemini to dynamically scan for high-value secrets, tuning the prompts for better success. A second wave of attacks, dubbed Sha1-Hulud, has compromised hundreds of npm packages. This new campaign introduces a variant that executes malicious code during the preinstall phase, increasing potential exposure in build and runtime environments. The attackers add a preinstall script (setup_bun.js) in the package.json file, which installs or locates the Bun runtime and runs a bundled malicious script (bun_environment.js). The malicious payload registers the infected machine as a self-hosted runner named SHA1HULUD and adds a workflow called .github/workflows/discussion.yaml. The malware downloads and runs TruffleHog to scan the local machine, stealing sensitive information such as NPM Tokens, AWS/GCP/Azure credentials, and environment variables. Wiz researchers identified over 25,000 affected repositories across about 350 unique users, with 1,000 new repositories being added consistently every 30 minutes in the last couple of hours. The second wave is more aggressive, with the malware attempting to destroy the victim's entire home directory if it fails to authenticate or establish persistence. The wiper-like functionality is triggered only if the malware cannot authenticate to GitHub, create a GitHub repository, fetch a GitHub token, or find an npm token. Organizations are urged to scan all endpoints for impacted packages, remove compromised versions, rotate all credentials, and audit repositories for persistence mechanisms. The new Shai-Hulud worm targets popular projects like Zapier and PostHog. The new version can infect up to 100 npm packages, compared to 20 in the previous version. The malware has an unusual structure, split into two files to evade detection. The first file checks for and installs a non-standard 'bun' JavaScript runtime, while the second file is a massive malicious source file that publishes stolen data to .json files in a randomly named GitHub repository. The size and structure of the file confuse AI analysis tools, causing inconsistent analysis results. The worm is scaling rapidly, with 1000 new repositories discovered every 30 minutes. The worm poses a significant risk to the software industry and end users, potentially leading to data breaches, ransomware footholds, and a loss of trust in the npm ecosystem. The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry. A Maven Central package named org.mvnpm:posthog-node:4.18.1 was identified to embed the same two components associated with Sha1-Hulud: the 'setup_bun.js' loader and the main payload 'bun_environment.js'. The Maven Central package is not published by PostHog itself but is generated via an automated mvnpm process that rebuilds npm packages as Maven artifacts. The 'second coming' of the supply chain incident has targeted developers globally to steal sensitive data like API keys, cloud credentials, and npm and GitHub tokens. The latest iteration of the attack is more stealthy, aggressive, scalable, and destructive. The attack allows threat actors to gain unauthorized access to npm maintainer accounts and publish trojanized versions of their packages. When unsuspecting developers download and run these libraries, the embedded malicious code backdoors their own machines and scans for secrets and exfiltrates them to GitHub repositories using the stolen tokens. The attack accomplishes this by injecting two rogue workflows, one of which registers the victim machine as a self-hosted runner and enables arbitrary command execution whenever a GitHub Discussion is opened. A second workflow is designed to systematically harvest all secrets. Over 28,000 repositories have been affected by the incident. This version significantly enhances stealth by utilizing the Bun runtime to hide its core logic and increases its potential scale by raising the infection cap from 20 to 100 packages. It also uses a new evasion technique, exfiltrating stolen data to randomly named public GitHub repositories instead of a single, hard-coded one. The attacks illustrate how trivial it is for attackers to take advantage of trusted software distribution pathways to push malicious versions at scale and compromise thousands of downstream developers. The self-replication nature of the malware means a single infected account is enough to amplify the blast radius of the attack and turn it into a widespread outbreak in a short span of time. Further analysis by Aikido has uncovered that the threat actors exploited vulnerabilities, specifically focusing on CI misconfigurations in pull_request_target and workflow_run workflows, in existing GitHub Actions workflows to pull off the attack. The vulnerability used the risky pull_request_target trigger in a way that allowed code supplied by any new pull request to be executed during the CI run. A single misconfiguration can turn a repository into a patient zero for a fast-spreading attack, giving an adversary the ability to push malicious code through automated pipelines you rely on every day. It's assessed that the activity is the continuation of a broader set of attacks targeting the ecosystem that commenced with the August 2025 S1ngularity campaign impacting several Nx packages on npm. As a new and significantly more aggressive wave of npm supply chain malware, Shai-Hulud 2 combines stealthy execution, credential breadth, and fallback destructive behavior, making it one of the most impactful supply chain attacks of the year. This malware shows how a single compromise in a popular library can cascade into thousands of downstream applications by trojanizing legitimate packages during installation. Data compiled by GitGuardian, OX Security, and Wiz shows that the campaign has leaked hundreds of GitHub access tokens and credentials associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. More than 5,000 files were uploaded to GitHub with the exfiltrated secrets. GitGuardian's analysis of 4,645 GitHub repositories has identified 11,858 unique secrets, out of which 2,298 remained valid and publicly exposed as of November 24, 2025. Users are advised to rotate all tokens and keys, audit all dependencies, remove compromised versions, reinstall clean packages, and harden developer and CI/CD environments with least-privilege access, secret scanning, and automated policy enforcement. Sha1-Hulud is another reminder that the modern software supply chain is still way too easy to break. A single compromised maintainer and a malicious install script is all it takes to ripple through thousands of downstream projects in a matter of hours. The techniques attackers are using are constantly evolving. Most of these attacks don't rely on zero-days. They exploit the gaps in how open source software is published, packaged, and pulled into production systems. The only real defense is changing the way software gets built and consumed. The Shai-Hulud worm dynamically installs Bun during package installation to evade traditional defenses tuned specifically to observe Node.js behavior. GitGuardian's analysis revealed a total of 294,842 secret occurrences, which correspond to 33,185 unique secrets. Of these, 3,760 were valid as of November 27, 2025. The stolen secrets included GitHub access tokens, Slack webhook URLs, GitHub OAuth tokens, AWS IAM keys, OpenAI Project API keys, Slack bot tokens, Claude API keys, Google API Keys, and GitLab tokens. Trigger.dev suffered credential theft and unauthorized access to its GitHub organization due to the Shai-Hulud worm. The Python Package Index (PyPI) repository was not impacted by the supply chain incident. The second Shai-Hulud attack last week exposed around 400,000 raw secrets after infecting hundreds of packages in the NPM registry and publishing stolen data in 30,000 GitHub repositories. Although just about 10,000 of the exposed secrets were verified as valid by the open-source TruffleHog scanning tool, researchers at cloud security platform Wiz say that more than 60% of the leaked NPM tokens were still valid as of December 1st. The Shai-Hulud threat emerged in mid-September, compromising 187 NPM packages with a self-propagating payload that identified account tokens using TruffleHog, injected a malicious script into the packages, and automatically published them on the platform. In the second attack, the malware impacted over 800 packages (counting all infected versions of a package) and included a destructive mechanism that wiped the victim’s home directory if certain conditions were met. The malware used TruffleHog without the 'only-verified' flag, meaning that the 400,000 exposed secrets match a known format and may not be valid or usable anymore. Analysis of 24,000 environment.json files showed that roughly half of them were unique, with 23% corresponding to developer machines, and the rest coming from CI/CD runners and similar infrastructure. Most of the infected machines, 87% of them, are Linux systems, while most infections (76%) were on containers. Regarding the CI/CD platform distribution, GitHub Actions led by far, followed by Jenkins, GitLab CI, and AWS CodeBuild. The top package was @postman/[email protected], followed by @asyncapi/[email protected]. These two packages together accounted for more than 60% of all the infections. Wiz believes that the perpetrators behind Shai-Hulud will continue to refine and evolve their techniques, and predicts that more attack waves will emerge in the near future, potentially leveraging the massive credential trove harvested so far.

The threat actor, tracked as UNC6395 by Google and GRUB1 by Cloudflare, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and steal data from Salesforce customer instances. The campaign, active from August 8 to at least August 18, 2025, targeted over 700 organizations, including Workiva and Stellantis, and impacted all integrations connected to the Drift platform, not just Salesforce. The attackers exported large volumes of data, including credentials for AWS, passwords, and Snowflake access tokens. Zscaler, Palo Alto Networks, Cloudflare, and Workiva reported data breaches after threat actors accessed their Salesforce instances via compromised Salesloft Drift credentials, exposing customer information. The breach began with the compromise of Salesloft's GitHub account, accessed by UNC6395 from March to June 2025. The threat actor accessed multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred in the Salesloft and Drift application environments between March and June 2025. The attackers accessed Drift's AWS environment and obtained OAuth tokens for Drift customers' technology integrations. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened it with improved segmentation controls. Salesloft recommends that all third-party applications integrated with Drift via API key revoke the existing key. Salesforce restored the integration with the Salesloft platform on September 7, 2025, except for the Drift app, which remains disabled. Salesloft and Salesforce have taken steps to mitigate the breach, including revoking tokens and removing the Drift application from AppExchange. The breach highlights the risks associated with third-party integrations and the potential for supply chain attacks. UNC6395 demonstrated operational discipline, querying and exporting data methodically, and attempting to cover their tracks by deleting query jobs. The targeted organizations included security and technology companies, suggesting a broader strategy to infiltrate vendors and service providers. The campaign is limited to Salesloft customers who integrate their own solutions with the Salesforce service. There is no evidence that the breaches directly impacted Google Cloud customers, though any of them that use Salesloft Drift should review their Salesforce objects for any Google Cloud Platform service account keys. The threat group ShinyHunters and Scattered Spider claimed responsibility for many of those attacks, and vishing attacks have been cited as the means of compromise. Google disclosed that UNC6040 breached one of its Salesforce instances using these tactics. The UNC6395 Salesloft Drift activity is separate from the vishing attacks attributed to UNC6040. Okta successfully defended against a potential breach by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric. Palo Alto Networks' Unit 42 advised organizations to conduct immediate log reviews for signs of compromise and rotate exposed credentials. Okta suggests reducing the blast radius of a single entity breach by constraining token use by IP and client and ensuring granular permissions for M2M integrations. The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations' Salesforce environments to steal data and extort victims. UNC6040 is a threat actor that specializes in voice phishing or vishing and recently was observed using social engineering to pose as IT support staff to get into Salesforce environments. UNC6395 is best known for using stolen OAuth tokens from Salesloft's Drift application, which has a Salesforce integration, to steal sensitive data from hundreds of Salesforce environments earlier this year. The FBI's latest advisory provides additional context into the technical aspects of the threat campaigns, particularly UNC6040's activity, which began last fall. The advisory also includes indicators of compromise, including IP addresses and URLs associated with the two campaigns.