AWS GovCloud administrative credentials exposed via contractor-managed public GitHub repository

The Mini Shai-Hulud supply chain campaign escalated with a new wave of over 600 compromised npm packages—primarily in the @antv ecosystem but also affecting widely used libraries like echarts-for-react and timeago.js—deploying a heavily obfuscated credential-stealing payload targeting developer workstations and CI/CD environments (GitHub Actions, GitLab CI, Jenkins, Azure DevOps, CircleCI, Vercel, Netlify). The malware harvests and exfiltrates credentials (GitHub, npm, cloud providers, Kubernetes, Vault, Docker, database, SSH) using AES-256-GCM and RSA-OAEP encryption, with fallback exfiltration to GitHub repositories under victim accounts. A critical advance in this variant is its abuse of OIDC tokens from compromised CI environments to forge valid Sigstore provenance attestations via Fulcio and Reko, enabling malicious packages to bypass standard provenance verification despite containing the credential-stealer. The self-propagation mechanism validates stolen npm tokens, enumerates victim packages, injects the payload, and republishes infected versions with incremented numbers. Researchers observed 639 malicious versions across 323 packages in one hour, with over 2,700 rogue repositories created using stolen tokens. This development follows prior compromises of TanStack, Mistral AI, OpenAI, PyPI packages (Lightning, intercom-client), and GitHub Actions workflows ('actions-cool/issues-helper', 'actions-cool/maintain-one-comment'), reflecting the campaign's continued evolution and cross-platform reach. The campaign originated with the public release of the Shai-Hulud source code by TeamPCP, enabling rapid cloning and weaponization into variants such as 'chalk-tempalte', '@deadcode09284814/axios-util', 'axois-utils', and 'color-style-utils'. These earlier variants combined credential theft with additional threats like the 'Phantom Bot' DDoS botnet and leveraged developer tooling (VS Code, Claude Code) and CI/CD pipelines for persistence and propagation. Victims include OpenAI (two employee devices breached via TanStack), Mistral AI (trojanized SDKs released), SAP (four npm packages compromised), PyPI (Lightning 2.6.2/2.6.3, intercom-client 7.0.4), UiPath, Guardrails AI, OpenSearch, and hundreds of npm packages across multiple ecosystems. The malware's destructive sabotage component targets systems in Israel or Iran, activating a 1-in-6 probability payload that plays maximum-volume audio before deleting files. Attackers have established over 2,200 GitHub repositories marked with the campaign's exfiltration signature ('Shai-Hulud: Here We Go Again'), underscoring the scale and persistence of this multi-vector, multi-ecosystem intrusion set.

Attackers compromised two official Trivy-related GitHub Actions repositories—aquasecurity/trivy-action and aquasecurity/setup-trivy—and backdoored Trivy v0.69.4 releases, distributing a Python-based infostealer that harvests wide-ranging CI/CD and developer secrets. The payload executes in GitHub Actions runners and Trivy binaries, remaining active for up to 12 hours in Actions tags and three hours in the malicious release. The actors leveraged compromised credentials from a prior March incident and added persistence via systemd services, while also linking to a follow-up npm campaign using the CanisterWorm self-propagating worm. The incident traces to a credential compromise initially disclosed in early March 2026, which was not fully contained and enabled subsequent tag and release manipulations. Safe releases are now available and mitigation includes pinning Actions to full SHA hashes, blocking exfiltration endpoints, and rotating all affected secrets.

DevOps environments face significant security risks due to the complexity and criticality of the data managed in Git-based platforms. The shared responsibility model places the burden of data security on users, requiring strict access controls, credential protection, and automated backups. Each platform offers different security features, and common vulnerabilities include weak access control, outdated systems, and lack of disaster recovery strategies. Recent attacks, such as the supply-chain attack on GitHub Actions, highlight the importance of addressing these risks proactively.

The GhostAction supply chain attack compromised 3,325 secrets from GitHub repositories. The attack, discovered by GitGuardian on September 2, 2025, involved malicious commits to GitHub Actions workflows that exfiltrated secrets to an external domain. The first signs of compromise were detected in the FastUUID project. The attack affected at least 817 repositories and targeted multiple package ecosystems, including PyPI, npm, DockerHub, and AWS keys. The exfiltration endpoint was taken down shortly after the campaign's discovery. The compromised secrets included PyPI tokens, npm tokens, DockerHub tokens, GitHub tokens, Cloudflare API tokens, AWS access keys, and database credentials. The attack impacted at least nine npm and 15 PyPI packages, potentially allowing for the release of malicious or trojanized versions. The Python Software Foundation invalidated all PyPI tokens stolen in the attack, confirming that the threat actors did not abuse them to publish malware. GitGuardian notified the security teams of GitHub, npm, and PyPI and opened issues in 573 impacted repositories. A hundred repositories had already detected and reverted the malicious changes before the full scope of the campaign was uncovered. GitGuardian notified PyPI on September 5, 2025, but the email ended up in the spam folder, delaying the response until September 10, 2025. PyPI advised maintainers to replace long-lived tokens with short-lived Trusted Publishers tokens and review their security history for any suspicious activity.

The **UNC6426** threat actor has weaponized credentials stolen during the August 2025 **nx npm supply-chain attack** to execute a rapid cloud breach, escalating from a compromised GitHub token to **full AWS administrator access in under 72 hours**. By abusing GitHub-to-AWS OpenID Connect (OIDC) trust, the attacker deployed a new IAM role with `AdministratorAccess`, exfiltrated S3 bucket data, terminated production EC2/RDS instances, and **publicly exposed the victim’s private repositories** under the `/s1ngularity-repository-[randomcharacters]` naming scheme. This follows the broader *Shai-Hulud* and *SANDWORM_MODE* campaigns, which collectively compromised **over 400,000 secrets** via trojanized npm packages, GitHub Actions abuse, and AI-assisted credential harvesting (e.g., QUIETVAULT malware leveraging LLM tools). The attack chain began with the **Pwn Request** exploitation of a vulnerable `pull_request_target` workflow in nx, leading to trojanized package publication and theft of GitHub Personal Access Tokens (PATs). UNC6426 later used tools like **Nord Stream** to extract CI/CD secrets, highlighting the risks of **overprivileged OIDC roles** and **standing cloud permissions**. Researchers warn of escalating supply chain risks, including **self-propagating worms** (Shai-Hulud), **PackageGate vulnerabilities** bypassing npm defenses, and **AI-assisted prompt injection** targeting developer workflows. Mitigations include disabling postinstall scripts, enforcing least-privilege access, and rotating all credentials tied to npm, GitHub, and cloud providers.