Malware
Shai-Hulud
IoCs CSV
1 YARA rule
A Javascript-based worm propagating through GitHub repositories and exfiltrating tokens and other credentials.
Indicators of Compromise 1
YARA Detection Rules
Shai_Hulud_YARA_Detection
yara ai_generated
rule Shai_Hulud_Detection {
meta:
description = "Detects malicious Jackson JSON lookalike library associated with Shai-Hulud supply chain attacks targeting Maven dependencies"
author = "AI Generated"
strings:
$maven_pom_ref = /<artifactId>jackson-json<\/artifactId>/i
$maven_group_ref = /<groupId>com\.fasterxml\.jackson\.core<\/groupId>/i
$malicious_class_ref = "ShaiHulud" wide ascii
$payload_delivery = "Cobalt Strike" wide ascii
$suspicious_exec = "Runtime.getRuntime().exec" wide ascii
$base64_payload = /(?:[A-Za-z0-9+\/]{4}){10,}={0,2}/ wide ascii
$http_client_usage = "org.apache.http.client.HttpClient" wide ascii
$beacon_config = "C2Config" wide ascii
condition:
$maven_pom_ref and $maven_group_ref and
( $malicious_class_ref or
( $payload_delivery and $suspicious_exec and $http_client_usage ) or
( $base64_payload and $beacon_config ) ) ⚠ Rules are AI-generated and unvalidated. Test in a safe environment before production use.