A new wave of malicious npm packages is targeting developers who work with cloud and serverless infrastructure.
The threat, known as the Shai-Hulud payload carrying the Hades malware family, has now expanded its reach to the Leo/RStreams ecosystem, a set of libraries widely used for AWS-native event streaming and data pipelines.
Security teams are raising the alarm as the attack quietly steals sensitive developer credentials the moment a package is installed.
What makes this campaign especially dangerous is how deep it digs. When a developer installs one of the affected packages, the payload begins collecting credentials stored across files, environment variables, shell history, GitHub CLI tokens, cloud access keys, and CI/CD pipeline secrets.
It works silently in the background and sends everything it finds to attacker-controlled GitHub repositories.
The scale of exposure is hard to ignore. The affected packages recorded roughly 45,000 downloads in a single month, meaning thousands of developers may have already been affected without knowing it.
Analysts at JFrog Security Research identified the new wave and published their findings in a report shared with Cyber Security News (CSN).
Researcher Yair Benamou noted this is not a completely new threat but another turn of the same campaign, with the same credential theft machinery but fresh targets and updated markers.
The Leo/RStreams libraries sit at the center of cloud-native development workflows. They wrap AWS services like Kinesis, S3, Lambda, and DynamoDB, meaning any developer installing these tools is likely working in an environment rich with cloud credentials and deployment tokens.
This positioning means that a single compromised install can expose far more than just one developer’s workstation. This latest wave confirms that the Shai-Hulud operation is still active and still growing.
Rather than building new malware from scratch, the attackers are recycling a proven payload and pointing it at new, trusted package families. Defenders who rely only on old campaign names or outdated signatures are still very likely to miss it entirely.
Shai-Hulud Payload Steals GitHub, npm, Cloud, CI/CD, and SSH Credentials
The malicious packages use a clever delivery trick that helps them slip past basic security scanners. Instead of placing harmful code inside the standard npm install scripts that most tools check, the attacker hides execution inside a file called binding.gyp.
Undreds of public repositories using this new description string (Source – JFrog)
When npm finds a package with this file and no explicit install script, it automatically runs node-gyp, which processes shell commands embedded inside that file. This gives the attacker a way to run code during installation while staying off the radar.
Once running, the payload collects credentials from a wide range of sources on the developer’s machine. It targets GitHub tokens, npm and PyPI publishing credentials, AWS access keys, JFrog and Artifactory tokens, and SSH keys.
Any stolen data is packaged into encrypted files and exfiltrated by creating repositories under a stolen GitHub token and committing the results there, a technique known as a GitHub dead drop.
Persistence and Lateral Movement Tactics
The payload does not stop at stealing credentials during installation. It plants several persistence hooks to keep running long after the initial install.
It sets itself up as a systemd service on Linux or a LaunchAgent on macOS, while also hooking into AI development tools by modifying configuration files for tools like Cursor, Copilot, and Gemini.
SSH keys found on the compromised machine are used to attempt lateral movement into other systems the developer has access to. The payload also injects itself into GitHub Actions workflows to dump pipeline secrets.
A single infected install on one machine could ripple outward into team repositories, cloud accounts, and production pipelines.
JFrog recommends isolating affected machines and CI runners before rotating any credentials. All persistence artifacts, including the monitor service, AI-tool hooks, and suspicious workflow files, must be removed first.
After cleanup, all GitHub, npm, cloud, SSH, Docker, and package registry credentials should be rotated. GitHub and npm accounts should also be audited for unexpected repositories, package releases, or suspicious workflow changes.
Indicators of Compromise (IoCs):-
Malicious npm Package Versions
TypeIndicatorDescriptionnpm Packageleo-auth v4.0.6Hijacked Leo/RStreams package (XRAY-1009715)npm Packageleo-aws v2.0.4Hijacked Leo/RStreams package (XRAY-1009716)npm Packageleo-cache v1.0.2Hijacked Leo/RStreams package (XRAY-1009726)npm Packageleo-cdk-lib v0.0.2Hijacked Leo/RStreams package (XRAY-1009721)npm Packageleo-cli v3.0.3Hijacked Leo/RStreams package (XRAY-1009724)npm Packageleo-config v1.1.1Hijacked Leo/RStreams package (XRAY-1009720)npm Packageleo-connector-elasticsearch v2.0.6Hijacked Leo/RStreams package (XRAY-1009713)npm Packageleo-connector-mongo v3.0.8Hijacked Leo/RStreams package (XRAY-1009714)npm Packageleo-connector-mysql v3.0.3Hijacked Leo/RStreams package (XRAY-1009729)npm Packageleo-connector-oracle v2.0.1Hijacked Leo/RStreams package (XRAY-1009718)npm Packageleo-connector-redshift v3.0.6Hijacked Leo/RStreams package (XRAY-1009725)npm Packageleo-cron v2.0.2Hijacked Leo/RStreams package (XRAY-1009723)npm Packageleo-logger v1.0.8Hijacked Leo/RStreams package (XRAY-1009727)npm Packageleo-sdk v6.0.19Hijacked Leo/RStreams package (XRAY-1009717)npm Packageleo-streams v2.0.1Hijacked Leo/RStreams package (XRAY-1009728)npm Packagerstreams-metrics v2.0.2Hijacked Leo/RStreams package (XRAY-1009731)npm Packagerstreams-shard-util v1.0.1Hijacked Leo/RStreams package (XRAY-1009732)npm Packageserverless-convention v2.0.4Hijacked Leo/RStreams package (XRAY-1009719)npm Packageserverless-leo v3.0.14Hijacked Leo/RStreams package (XRAY-1009730)npm Packagesolo-nav v1.0.1Hijacked Leo/RStreams package (XRAY-1009722)
Network and Service Indicators
TypeIndicatorDescriptionURLhxxps[:]//api[.]anthropic[.]com/v1/apiAnthropic API camouflage used for payload communicationURLhxxps[:]//api[.]github[.]comGitHub API used for dead-drop exfiltrationURLhxxps[:]//api[.]github[.]com/search/commits?q=firedalazherGitHub commit search endpoint used in campaign trackingURLhxxps[:]//github[.]com/oven-sh/bun/releases/download/bun-v1.3.13/Bun runtime download used by payloadURLhxxps[:]//github[.]com/oven-sh/bun/releases/download/bun-v1.3.14/Bun runtime download used by payload
Host and Persistence Indicators
TypeIndicatorDescriptionFile Path/tmp/p*.jsTemporary payload scriptFile Path/tmp/b-/bunBun runtime binary dropped in tempFile Path/tmp/b-/b.zipBun runtime archive in tempFile Path~/.config/gh-token-monitor/Persistence config directoryFile Path~/.config/gh-token-monitor/tokenStored token file for monitor serviceFile Path~/.config/gh-token-monitor/handlerHandler script for monitor serviceFile Path~/.local/bin/gh-token-monitor.shMonitor shell scriptFile Path~/.config/systemd/user/gh-token-monitor.serviceLinux systemd persistence serviceFile Path~/Library/LaunchAgents/com.user.gh-token-monitor.plistmacOS LaunchAgent persistenceFile Path~/.local/share/updater/update.pyPython updater persistence scriptFile Path~/.local/share/updater/update-monitor.serviceUpdater systemd serviceFile Path~/.config/index.jsPayload config indexFile Nameai_setup.shAI tool setup hook scriptFile Nameai_init.jsAI tool initialization hook scriptFile Pathresults/results-.jsonExfiltrated credential result files
Repository and Workflow Indicators
TypeIndicatorDescriptionCampaign MarkerAlright Lets See If This WorksCurrent wave public repository description markerToken StringRevokeAndItGoesKaboomCurrent token relay marker stringToken StringTheBeautifulSandsOfTimeAlternate campaign marker stringToken StringthebeautifulmarchofftimeAlternate campaign marker stringEnv VariableSEED_PATGitHub PAT used in gated seeder pathEnv VariableVARIABLE_STOREVariable storage environment referenceFile Nameformat-results.txtCredential formatting output fileAI Config.cursor/rules/setup.mdcCursor AI rules hookAI Config.gemini/settings.jsonGemini AI settings hookAI Config.cursorrulesCursor rules persistence fileAI Config.windsurfrulesWindsurf rules persistence fileAI Config.github/copilot-instructions.mdCopilot instructions persistence fileAI Configmcp.jsonMCP configuration hookAI Config.aider.conf.ymlAider AI configuration hook
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Shai-Hulud Payload Steals GitHub, npm, Cloud, CI/CD, and SSH Credentials From Developers appeared first on Cyber Security News.
