Malware

Shai-Hulud

IoCs CSV 1 YARA rule

A Javascript-based worm propagating through GitHub repositories and exfiltrating tokens and other credentials.

Indicators of Compromise 1

YARA Detection Rules

Shai_Hulud_YARA_Detection
yara ai_generated
rule Shai_Hulud_Detection {
    meta:
        description = "Detects malicious Jackson JSON lookalike library associated with Shai-Hulud supply chain attacks targeting Maven dependencies"
        author = "AI Generated"

    strings:
        $maven_pom_ref = /<artifactId>jackson-json<\/artifactId>/i
        $maven_group_ref = /<groupId>com\.fasterxml\.jackson\.core<\/groupId>/i
        $malicious_class_ref = "ShaiHulud" wide ascii
        $payload_delivery = "Cobalt Strike" wide ascii
        $suspicious_exec = "Runtime.getRuntime().exec" wide ascii
        $base64_payload = /(?:[A-Za-z0-9+\/]{4}){10,}={0,2}/ wide ascii
        $http_client_usage = "org.apache.http.client.HttpClient" wide ascii
        $beacon_config = "C2Config" wide ascii

    condition:
        $maven_pom_ref and $maven_group_ref and
        ( $malicious_class_ref or
          ( $payload_delivery and $suspicious_exec and $http_client_usage ) or
          ( $base64_payload and $beacon_config ) )

Rules are AI-generated and unvalidated. Test in a safe environment before production use.

Source Articles