A sophisticated malware campaign dubbed Shai-Hulud v2 has expanded its reach from the npm JavaScript package registry to Maven Central, the primary repository for the Java ecosystem. The operation, focused on stealing sensitive developer credentials, has successfully exfiltrated thousands of secrets from compromised environments.

Security researchers identified the campaign’s cross-ecosystem jump, noting its reliance on typosquatting to deceive developers. Malicious packages with names similar to legitimate, popular libraries were uploaded to both npm and Maven Central. Once a developer inadvertently installs one of these packages, the malware executes its payload.

Attack Vector and Data Exfiltration

The primary function of the Shai-Hulud v2 malware is to scan the victim’s machine for specific configuration files known to contain valuable credentials. The malware targets files such as .npmrc, .bash_history, and Maven’s settings.xml. It actively searches for secrets including authentication tokens, API keys, and private registry credentials.

Upon finding these secrets, the malware employs a technique known as DNS tunneling to exfiltrate the stolen data. This method encodes the sensitive information into a series of DNS queries directed to an attacker-controlled server. DNS tunneling is often used to bypass firewall restrictions, as DNS traffic is typically permitted on most networks.

Scope of the Campaign

The campaign has demonstrated a significant impact, with analysis revealing the exposure of thousands of unique secrets. The attackers leveraged a large-scale, automated approach to publish numerous malicious packages across both package registries. This expansion from a JavaScript-centric attack to include the Java ecosystem highlights the persistent threat of software supply chain attacks targeting developers directly. The use of typosquatting remains an effective and common vector for distributing this type of information-stealing malware.

Source: https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.html