Shai-Hulud & Co.: The software supply chain as Achilles’ heel

The threat situation in the software supply chain is intensifying. Securing it belongs at the top of the CISO’s agenda.

Today’s applications are based on numerous components, each of which, along with the development environments themselves, represents an attack surface. Regardless of whether companies develop code in-house or rely on third-party vendors, CISOs, security experts, and developers should pay particular attention to the software supply chain.

These risks include, for example, React2Shell, Shai-Hulud, and XZ Utils — all vulnerabilities in the software supply chain that started small and later had massive repercussions. Shai-Hulud stands out in particular, signaling the end of the “passive era” of supply chain attacks and the beginning of the “active worm” era. This shift promises devastating consequences for software pipelines.

Traditionally, supply chain attacks were passive traps. An attacker would upload a misspelled package (typosquatting), such as “reqeusts” instead of “requests,” sit back, and wait for a complacent developer to make a mistake. The blast radius was linear and rather slow.

Shai-Hulud changed the rules of the game by introducing a worm-like propagation method. Once it lands on a developer’s machine, it actively collects credentials (NPM tokens, GitHub secrets). It uses these stolen credentials to automatically publish infected versions of other legitimate packages managed by the victim. Unlike spyware, which aims to remain hidden, variants of Shai-Hulud include a “dead man switch.” If it detects that it is being blocked or analyzed, it attempts to wipe the victim’s system, completely erasing all traces of itself.

The goal is no longer just the application, but the developer’s identity and the automated CI/CD pipelines that implicitly trust them. What if the next iteration of Shai-Hulud affected other coding languages?

Programming languages ​​as ticking time bombs

One example of this is Python, the language of AI and data science. The next evolutionary stage of the supply chain worm will likely not only steal AWS keys but also leverage the rise of AI coding assistants.

Security researchers are already observing “hallucination hijacking,” in which attackers register packets whose existence AI tools falsely predict. A worm like Shai-Hulud could infect a data scientist’s laptop, scan their local LLM chat history for private packet names, and automatically register malicious versions publicly. A worm in this ecosystem would not only crash a website but could also subtly poison financial models, alter medical research data, or insert backdoors into corporate AI training sets — damage that could potentially go undetected for years.

Other examples could involve the coding languages ​​Java/JVM or Rust/Go; here too, the effects would be catastrophic.

The polyglot supply chain attack

The most frightening prospect, however, is the convergence of these threats in a polyglot supply chain attack. Currently, security teams operate in isolation. AppSec monitors the code, CloudSec monitors the cloud, NetworkSec monitors the perimeter. A polyglot attack is designed to seamlessly break through these silos.

This happens as follows: A worm infiltrates a frontend developer’s laptop via a low-level JavaScript dependency. It detects that the developer also has access to the company’s backend Rust repository, steals these credentials, and injects malicious build scripts into the Rust CI pipeline. The Rust pipeline then deploys a compromised binary to a Kubernetes cluster.

The attack could begin in NPM but end as a compiled binary backdoor in the production cloud infrastructure. The JavaScript security team won’t detect it because it immediately left their domain. The cloud security team would also miss the threat because it was delivered from a trusted CI pipeline using valid credentials. CISOs need to be aware of this and take appropriate precautions

Recommendations for CISOs

The EU Cyber ​​Resilience Act (CRA) provides recommendations for CISOs. It mandates the protection of digital products for manufacturers, importers, and distributors, encouraging them to invest in secure design during development and maintenance. The requirements outlined therein must be implemented gradually by the end of 2027, and include the security of networked hardware and software through the handling of vulnerabilities and their publication or notification to the relevant authorities. Furthermore, the three aforementioned stakeholders must also document the components of the software in software bills of materials (SBOMs).

The NIS2 Directive, which has now entered into force, contains similar requirements for operators of critical infrastructure (KRITIS) to those stipulated in the NIS2 Implementation Act (NIS2UmsuCG) and the KRITIS Umbrella Act regarding products and suppliers. OpenKRITIS provides a worthwhile overview.

To protect themselves from Shai-Hulud and similar threats, CISOs and their teams should implement the following steps:

You must end the “implicit trust” in identities. In the scenarios described earlier involving Shai-Hulud, the problem was that CI/CD systems were too often blindly trusted. Therefore, CISOs should ensure their teams critically examine their pipeline security.

CI/CD systems must not automatically assume an activity is legitimate simply because it was signed with a valid developer token. Instead, they must prioritize identity protection. Attackers have already been observed specifically stealing credentials such as NPM tokens and GitHub secrets to automatically publish infected packages. Measures to protect these identities must therefore be given top priority.

Security silos should be broken down. Many security aspects still aren’t consolidated under a single, overarching management structure. Tools and departments dedicated to application security, infrastructure security, cloud security, network security, and many others create numerous islands within the vast sea of ​​security strategy. They all need to collaborate more closely and be coordinated by the CISO.

A key risk is the previously described polyglot supply chain attack, which seamlessly transcends these silos. Therefore, CISOs must implement cross-departmental and cross-functional monitoring. To further illustrate the danger: An attack could begin with a JavaScript file, propagate through build scripts, and ultimately result in a backdoor in the cloud. Often, there’s no integrated visibility to track this entire process. The JavaScript team might lose sight of the attack once it leaves its sphere, while the cloud team relies on the CI pipeline.

CISOs must therefore establish systems that monitor the entire path from software development to build and all the way to runtime. SBOMs, which document all software used, provide a solution.

Prepare for active worms and ensure the protection of AI tools. To mitigate AI-driven risks, it’s crucial to prevent the hijacking and manipulation of AI tools. Numerous software developers rely on these tools to write their software. Security researchers are already observing attackers using packets that cause AI tools to hallucinate.

Active worms represent the next level of threat. Therefore, security strategies should extend beyond simply protecting against typos. Threats like Shai-Hulud spread exponentially, like a worm. At this speed, manual packet inspection processes are no longer sufficient.

This type of supply chain worm also features a “dead man switch” that wipes the victim’s system if an analysis is detected. CISOs should ensure that logs are secured even outside the developer’s machine to preserve traces of the attack for forensic investigations.