{"id":59817,"date":"2025-12-09T21:41:32","date_gmt":"2025-12-09T21:41:32","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/"},"modified":"2025-12-09T21:41:32","modified_gmt":"2025-12-09T21:41:32","slug":"shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/","title":{"rendered":"Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack"},"content":{"rendered":"<p class=\"wp-block-paragraph\">The Shai\u2011Hulud&nbsp;2.0 supply chain attack represents one of the most significant cloud-native ecosystem compromises observed recently. Attackers maliciously modified hundreds of publicly available packages, targeting developer environments, continuous integration and continuous delivery (CI\/CD) pipelines, and cloud-connected workloads to harvest credentials and configuration secrets.<\/p>\n<p class=\"wp-block-paragraph\">The Shai\u2011Hulud&nbsp;2.0 campaign builds on earlier supply chain compromises but introduces more automation, faster propagation, and a broader target set:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Malicious code executes during the preinstall phase of infected npm packages, allowing execution before tests or security checks.<\/li>\n<li class=\"wp-block-list-item\">Attackers have compromised maintainer accounts from widely used projects (for example, Zapier, PostHog, Postman).<\/li>\n<li class=\"wp-block-list-item\">Stolen credentials are exfiltrated to public attacker-controlled repositories, which could lead to further compromise.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">This campaign illustrates the risks inherent to modern supply chains:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Traditional network defenses are insufficient against attacks embedded in trusted package workflows.<\/li>\n<li class=\"wp-block-list-item\">Compromised credentials enable attackers to escalate privileges and move laterally across cloud workloads.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">In defending against threats like Shai-Hulud 2.0, organizations benefit significantly from the layered protection from Microsoft Defender, which provides security coverage from code, to posture management, to runtime. This defense-in-depth approach is especially valuable when facing supply chain-driven attacks that might introduce malicious dependencies that evade traditional vulnerability assessment tools. In these scenarios, the ability to correlate telemetry across data planes, such as endpoint or container behavior and runtime anomalies, becomes essential. Leveraging these insights enables security teams to rapidly identify compromised devices, flag suspicious packages, and contain the threat before it propagates further.<\/p>\n<p class=\"wp-block-paragraph\">This blog provides a high-level overview of Shai\u2011Hulud&nbsp;2.0, the attack mechanisms, potential attack propagation paths, customized hunting queries, and the actions Microsoft Defender is taking to enhance detection, attack-path analysis, credential scanning, and supply chain hardening.<\/p>\n<h2 class=\"wp-block-heading\" id=\"analyzing-the-shai-hulud-2-0-attack\">Analyzing the Shai-Hulud 2.0 attack<\/h2>\n<p class=\"wp-block-paragraph\">Multiple npm packages were compromised when threat actors added a preinstall script named <em>set_bun.js<\/em> in the <em>package.json<\/em> of the affected packages. The <em>setup_bun.js<\/em> script scoped the environment for an existing Bun runtime binary; if not found, the script installed it. Bun can be used in the same way Node.js is used.<\/p>\n<p class=\"wp-block-paragraph\">The Bun runtime executed the bundled malicious script <em>bun_environment.js<\/em>. This script downloaded and installed a GitHub Actions Runner archive. It then configured a new GitHub repository and a runner agent called <em>SHA1Hulud<\/em>. Additional files were extracted from the archive including, TruffleHog and Runner.Listener executables. TruffleHog was used to query the system for stored credentials and retrieve stored cloud credentials.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Shai-Hulud-2-attack-chain.webp\" alt=\"Shai-Hulud 2.0 attack chain diagram\" class=\"wp-image-144315 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Shai-Hulud-2-attack-chain.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 1. Shai-Hulud 2.0 attack chain<\/em><\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/learn.microsoft.com\/azure\/defender-for-cloud\/defender-for-containers-azure-overview\">Microsoft Defender for Containers<\/a> promptly notified our customers when the campaign began through the alert <em>Suspicious usage of the shred command on hidden files detected<\/em>. This alert identified the data destruction activity carried out as part of the campaign. Additionally, we introduced a dedicated alert to identify this campaign as <em>Sha1-Hulud Campaign Detected \u2013 Possible command injection to exfiltrate credentials.<\/em><\/p>\n<p class=\"wp-block-paragraph\">In some cases, commits to the newly created repositories were under the name \u201cLinus Torvalds\u201d, the creator of the Linux kernel and the original author of Git. &nbsp;The use of fake personas highlights the importance of <a href=\"https:\/\/docs.github.com\/en\/authentication\/managing-commit-signature-verification\/about-commit-signature-verification\">commit signature verification<\/a>, which adds a simple and reliable check to confirm who actually created a commit and reduces the chance of impersonation.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Shai-Hulud-2-fig2-malicious-commit.webp\" alt=\"Screenshot of malicious GitHub commit\" class=\"wp-image-144316 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Shai-Hulud-2-fig2-malicious-commit.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 2. Malicious commit authored by user impersonating Linus Torvalds<\/em><\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\" id=\"mitigation-and-protection-guidance\">Mitigation and protection guidance<\/h2>\n<p class=\"wp-block-paragraph\">Microsoft Defender recommends the following guidance for customers to improve their environments\u2019 security posture against Shai-Hulud:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Review the Key Vault assets on the critical asset management page and investigate any relevant logs for unauthorized access.<\/li>\n<li class=\"wp-block-list-item\">Rapidly rotate and revoke exposed credentials.<\/li>\n<li class=\"wp-block-list-item\">Isolate affected CI\/CD agents or workspaces.<\/li>\n<li class=\"wp-block-list-item\">Prioritize high-risk attack paths to reduce further exposure.<\/li>\n<li class=\"wp-block-list-item\">Remove unnecessary roles and permissions granted to identities assigned to CI\/CD pipelines; specifically review access to key vaults.<\/li>\n<li class=\"wp-block-list-item\">For Defender for Cloud customers, read on the following recommendation:\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">As previously indicated, the attack was initiated during the preinstall phase of compromised npm packages. Consequently, cloud compute workloads that rely on these affected packages present a lower risk compared to those involved in the build phase. Nevertheless, it is advisable to refrain from using such packages within cloud workloads. Defender for Cloud conducts thorough scans of workloads and prompts users to upgrade or replace any compromised packages if vulnerable versions are detected. Additionally, it references the code repository from which the image was generated to facilitate effective investigation.<\/li>\n<li class=\"wp-block-list-item\">To receive code repository mapping, make sure to connect your DevOps environments to Defender for Cloud. Refer to the following documentation for guidance on: <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Shai-Hulud-2-fig3-Defender-for-cloud.webp\" alt=\"Screenshot of Microsoft Defender for Cloud recommendations page\" class=\"wp-image-144317 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Shai-Hulud-2-fig3-Defender-for-cloud.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 3.<\/em> <em>Defender for Cloud Recommendations page<\/em><\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">For more information on GitHub\u2019s plans on securing the npm supply chain and what npm maintainers can take today, Defender also recommends checking the Github <a href=\"https:\/\/github.blog\/security\/supply-chain-security\/our-plan-for-a-more-secure-npm-supply-chain\/\">plan for a more secure npm supply chain<\/a>.<\/p>\n<h2 class=\"wp-block-heading\" id=\"microsoft-defender-xdr-detections\">Microsoft Defender XDR detections&nbsp;<\/h2>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.<\/p>\n<p class=\"wp-block-paragraph\">Customers with provisioned access can also use <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/security-copilot-in-microsoft-365-defender\">Microsoft Security Copilot in Microsoft Defender<\/a> to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"8.5\">\n<tr readability=\"2\">\n<td><strong>Tactic<\/strong>&nbsp;<\/td>\n<td><strong>Observed activity<\/strong>&nbsp;<\/td>\n<td><strong>Microsoft Defender coverage<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>&nbsp;Execution<\/td>\n<td>Suspicious behavior surrounding node execution<\/td>\n<td readability=\"5\"><strong>Microsoft Defender for Endpoint<\/strong><br \/>\u2013 Suspicious Node.js process behavior <\/p>\n<p><strong>Microsoft Defender Antivirus<\/strong> <br \/>\u2013 Trojan:JS\/ShaiWorm<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"7\">\n<td>Execution<\/td>\n<td>Registration of impacted containers as self-hosted GitHub runners and using them to gather credentials.<\/td>\n<td readability=\"5\"><strong>Microsoft Defender for Containers<\/strong><br \/>\u2013 Sha1-Hulud Campaign Detected: Possible command injection to exfiltrate credentials <\/p>\n<p><strong>Microsoft Defender for Endpoint<\/strong> <br \/>\u2013 Suspicious process launched<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>Impact<\/td>\n<td>Data destruction activity<\/td>\n<td><strong>Microsoft Defender for Containers<\/strong><br \/>\u2013 Suspicious usage of shared command on hidden files detected <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 class=\"wp-block-heading\" id=\"microsoft-security-copilot\">Microsoft Security Copilot<\/h3>\n<p class=\"wp-block-paragraph\">Security Copilot customers can use the standalone experience to <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/prompting-security-copilot#create-your-own-prompts\">create their own prompts<\/a> or run the following <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/using-promptbooks\">prebuilt promptbooks<\/a> to automate incident response or investigation tasks related to this threat:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Incident investigation<\/li>\n<li class=\"wp-block-list-item\">Microsoft User analysis<\/li>\n<li class=\"wp-block-list-item\">Threat actor profile<\/li>\n<li class=\"wp-block-list-item\">Threat Intelligence 360 report based on MDTI article<\/li>\n<li class=\"wp-block-list-item\">Vulnerability impact assessment<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.<\/p>\n<h3 class=\"wp-block-heading\" id=\"threat-intelligence-reports\">Threat intelligence reports<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Microsoft Defender XDR threat analytics:<\/strong><\/p>\n<p class=\"wp-block-paragraph\">Microsoft Security Copilot customers can also use the <a href=\"https:\/\/learn.microsoft.com\/defender\/threat-intelligence\/security-copilot-and-defender-threat-intelligence?bc=%2Fsecurity-copilot%2Fbreadcrumb%2Ftoc.json&amp;toc=%2Fsecurity-copilot%2Ftoc.json#turn-on-the-security-copilot-integration-in-defender-ti\">Microsoft Security Copilot integration<\/a> in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the <a href=\"https:\/\/learn.microsoft.com\/defender\/threat-intelligence\/using-copilot-threat-intelligence-defender-xdr\">embedded experience<\/a> in the Microsoft Defender portal to get more information about this threat actor.<\/p>\n<h2 class=\"wp-block-heading\" id=\"attack-path-analysis\">Attack path analysis<\/h2>\n<p class=\"wp-block-paragraph\">Attack path analysis shows paths from exposed entry points to targets. Security teams can use attack path analysis to surface cross-domain exposure risks, for example how an attacker could move from externally reachable resources to sensitive systems to escalate privileges and maintain persistence. While supply chain attacks like those used by Shai-Hulud 2.0 can originate without direct exposure, customers can leverage advanced hunting to query the Exposure Graph for these broader relationships.<\/p>\n<p class=\"wp-block-paragraph\">For example, once a virtual or physical machine is determined to be compromised, key vaults that are directly accessible using credentials obtained from the compromised system can also be identified. The relevant access paths can be extracted using queries, as detailed in the hunting section below. Any key vault found along these paths should be investigated according to the mitigation guide.<\/p>\n<h2 class=\"wp-block-heading\" id=\"hunting-queries\">Hunting queries&nbsp;<\/h2>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-xdr\">Microsoft Defender XDR<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can run the following queries to find related activity in their networks: <\/p>\n<p class=\"wp-block-paragraph\"><strong>Attempts of malicious JS execution through node<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"9\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nDeviceProcessEvents | where FileName has \"node\" and ProcessCommandLine has_any (\"setup_bun.js\", \"bun_environment.js\")\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Suspicious process launched by malicious JavaScript<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"19\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\nDeviceProcessEvents | where InitiatingProcessFileName in~ (\"node\", \"node.exe\") and InitiatingProcessCommandLine endswith \".js\"\n| where (FileName in~ (\"bun\", \"bun.exe\") and ProcessCommandLine has \".js\") or (FileName in~ (\"cmd.exe\") and ProcessCommandLine has_any (\"where bun\", \"irm \", \"[Environment]::GetEnvironmentVariable('PATH'\", \"|iex\")) or (ProcessCommandLine in~ (\"sh\", \"dash\", \"bash\") and ProcessCommandLine has_any (\"which bun\", \".bashrc &amp;&amp; echo $PATH\", \"https:\/\/bun.sh\/install\"))\n| where ProcessCommandLine !contains \"bun\" and ProcessCommandLine !contains \"\\\\\" and ProcessCommandLine !contains \"--\"\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>GitHub exfiltration<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"25\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nDeviceProcessEvents | where FileName has_any (\"bash\",\"Runner.Listener\",\"cmd.exe\") | where ProcessCommandLine has 'SHA1HULUD' and not (ProcessCommandLine has_any('malicious','grep','egrep',\"checknpm\",\"sha1hulud-checker-ado\",\"sha1hulud-checker-ado\",\" sha1hulud-checker-github\",\"sha1hulud-checker\",\"sha1hulud-scanner\",\"go-detector\",\"SHA1HULUD_IMMEDIATE_ACTIONS.md\",\"SHA1HULUD_COMPREHENSIVE_REPORT.md\",\"reddit.com\",\"sha1hulud-scan.sh\"))\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Paths from compromised machines and repositories to cloud key management services<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"35\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nlet T_src2Key = ExposureGraphEdges\n| where EdgeLabel == 'contains'\n| where SourceNodeCategories has_any ('code_repository', 'virtual_machine' , 'physical_device')\n| where TargetNodeCategories has 'secret'\n| project SourceNodeId, SourceNodeLabel, SourceNodeName, keyNodeId=TargetNodeId, keyNodeLabel=TargetNodeLabel;\nlet T_key2identity = ExposureGraphEdges\n| where EdgeLabel == 'can authenticate as'\n| where SourceNodeCategories has 'key'\n| where TargetNodeCategories has 'identity'\n| project keyNodeId=SourceNodeId, identityNodeId=TargetNodeId;\nExposureGraphEdges\n| where EdgeLabel == 'has permissions to'\n| where SourceNodeCategories has 'identity'\n| where TargetNodeCategories has \"keys_management_service\"\n| join hint.strategy=shuffle kind=inner (T_key2identity) on $left.SourceNodeId==$right.identityNodeId\n| join hint.strategy=shuffle kind=inner (T_src2Key) on keyNodeId\n| join hint.strategy=shuffle kind=inner (ExposureGraphNodes | project NodeId, srcEntityId=EntityIds) on $left.SourceNodeId1==$right.NodeId\n| join hint.strategy=shuffle kind=inner (ExposureGraphNodes | project NodeId, identityEntityId=EntityIds) on $left.identityNodeId==$right.NodeId\n| join hint.strategy=shuffle kind=inner (ExposureGraphNodes | project NodeId, kmsEntityId=EntityIds) on $left.TargetNodeId==$right.NodeId\n| project srcLabel=SourceNodeLabel1, srcName=SourceNodeName1, srcEntityId, keyNodeLabel, identityLabel=SourceNodeLabel, identityName=SourceNodeName, identityEntityId, kmsLabel=TargetNodeLabel, kmsName=TargetNodeName, kmsEntityId\n| extend Path = strcat('srcLabel',' contains','keyNodeLabel',' can authenticate as', ' identityLabel', ' has permissions to', ' kmsLabel')\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Setup of the GitHub runner with the malicious repository and downloads of the malicious <em>bun.sh<\/em> script that facilitates this<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"23\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nCloudProcessEvents\n| where (ProcessCommandLine has \"--name SHA1HULUD\" ) or (ParentProcessName == \"node\" and (ProcessName == \"bash\" or ProcessName == \"dash\" or ProcessName == \"sh\") and ProcessCommandLine has \"curl -fsSL https:\/\/bun.sh\/install | bash\")\n| project Timestamp, AzureResourceId, KubernetesPodName, KubernetesNamespace, ContainerName, ContainerId, ContainerImageName, ProcessName, ProcessCommandLine, ProcessCurrentWorkingDirectory, ParentProcessName, ProcessId, ParentProcessId, AccountName\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Credential collection using TruffleHog and Azure CLI<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"27\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nCloudProcessEvents\n| where (ParentProcessName == \"bun\" and ProcessName in (\"bash\",\"dash\",\"sh\") and ProcessCommandLine has_any(\"az account get-access-token\",\"azd auth token\")) or (ParentProcessName == \"bun\" and ProcessName == \"tar\" and ProcessCommandLine has_any (\"trufflehog\",\"truffler-cache\"))\n| project Timestamp, AzureResourceId, KubernetesPodName, KubernetesNamespace, ContainerName, ContainerId, ContainerImageName, ProcessName, ProcessCommandLine, ProcessCurrentWorkingDirectory, ParentProcessName, ProcessId, ParentProcessId, AccountName\n<\/pre>\n<\/div>\n<h3 class=\"wp-block-heading\" id=\"cloud-security-explorer\">Cloud security explorer<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender for Cloud customers can also use <a href=\"https:\/\/learn.microsoft.com\/azure\/defender-for-cloud\/how-to-manage-cloud-security-explorer\">cloud security explorer<\/a> to surface possibly compromised software packages. The following screenshot represents a query that searches for a virtual machine or repository allowing lateral movement to a key vault. <a href=\"https:\/\/ms.portal.azure.com#view\/Microsoft_Azure_Security\/SecurityGraph.ReactView\/query\/%7B%22type%22%3A%22securitygraphquery%22%2C%22version%22%3A2%2C%22properties%22%3A%7B%22source%22%3A%7B%22type%22%3A%22datasource%22%2C%22properties%22%3A%7B%22sources%22%3A%5B%7B%22type%22%3A%22family%22%2C%22properties%22%3A%7B%22source%22%3A%22code_repository%22%7D%7D%2C%7B%22type%22%3A%22family%22%2C%22properties%22%3A%7B%22source%22%3A%22virtual_machine%22%7D%7D%5D%2C%22conditions%22%3A%7B%22type%22%3A%22conditiongroup%22%2C%22properties%22%3A%7B%22operator%22%3A%22and%22%2C%22conditions%22%3A%5B%7B%22type%22%3A%22connection%22%2C%22properties%22%3A%7B%22name%22%3A%22contains%22%2C%22direction%22%3A%22outgoing%22%2C%22target%22%3A%7B%22type%22%3A%22datasource%22%2C%22properties%22%3A%7B%22sources%22%3A%5B%7B%22type%22%3A%22family%22%2C%22properties%22%3A%7B%22source%22%3A%22key%22%7D%7D%5D%2C%22conditions%22%3A%7B%22type%22%3A%22conditiongroup%22%2C%22properties%22%3A%7B%22operator%22%3A%22and%22%2C%22conditions%22%3A%5B%7B%22type%22%3A%22connection%22%2C%22properties%22%3A%7B%22name%22%3A%22can%20authenticate%20as%22%2C%22direction%22%3A%22outgoing%22%2C%22target%22%3A%7B%22type%22%3A%22datasource%22%2C%22properties%22%3A%7B%22sources%22%3A%5B%7B%22type%22%3A%22entity%22%2C%22properties%22%3A%7B%22source%22%3A%22serviceprincipal%22%7D%7D%5D%2C%22conditions%22%3A%7B%22type%22%3A%22conditiongroup%22%2C%22properties%22%3A%7B%22operator%22%3A%22and%22%2C%22conditions%22%3A%5B%7B%22type%22%3A%22connection%22%2C%22properties%22%3A%7B%22name%22%3A%22has%20permissions%20to%22%2C%22direction%22%3A%22outgoing%22%2C%22target%22%3A%7B%22type%22%3A%22datasource%22%2C%22properties%22%3A%7B%22sources%22%3A%5B%7B%22type%22%3A%22entity%22%2C%22properties%22%3A%7B%22source%22%3A%22microsoft.keyvault%2Fvaults%22%7D%7D%5D%7D%7D%7D%7D%5D%7D%7D%7D%7D%7D%7D%5D%7D%7D%7D%7D%7D%7D%5D%7D%7D%7D%7D%7D%7D\">View the query builder<\/a>.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Shai-Hulud-2-fig4-cloud-security-explorer.webp\" alt=\"Screenshot of Cloud Security Explorer\" class=\"wp-image-144320 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Shai-Hulud-2-fig4-cloud-security-explorer.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 4. Cloud security explorer query<\/em><\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">The security explorer templates library has been expanded with two additional queries that retrieve all container images with compromised software packages and all the running containers with these images.<\/p>\n<h3 class=\"wp-block-heading\" id=\"microsoft-sentinel\">Microsoft Sentinel<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the <a href=\"https:\/\/learn.microsoft.com\/azure\/sentinel\/sentinel-solutions-deploy\">Microsoft Sentinel Content Hub<\/a> to have the analytics rule deployed in their Sentinel workspace.&nbsp;<\/p>\n<p class=\"wp-block-paragraph\"><strong>Indicators of compromise <\/strong>&nbsp;&nbsp;<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"2\">\n<tr>\n<td><strong>Indicator<\/strong><\/td>\n<td><strong>Type<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<td><strong>First seen<\/strong><\/td>\n<td><strong>Last seen<\/strong><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>&nbsp;setup_bun.js<\/em><\/td>\n<td>&nbsp;File name<\/td>\n<td>Malicious script that installs the Bun runtime<\/td>\n<td>&nbsp;November 24, 2025<\/td>\n<td>December 1, 2025<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>bun_environment.js<\/em><\/td>\n<td>File name<\/td>\n<td>Script that facilitates credential gathering and exfiltration<\/td>\n<td>November 24, 2025<\/td>\n<td>December 1, 2025<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"references\">References<\/h2>\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more &nbsp;<\/h2>\n<p class=\"wp-block-paragraph\">For the latest security research from the Microsoft Threat Intelligence community, check out the <a href=\"https:\/\/aka.ms\/threatintelblog\">Microsoft Threat Intelligence Blog<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">To get notified about new publications and to join discussions on social media, follow us on <a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence\">LinkedIn<\/a>, <a href=\"https:\/\/x.com\/MsftSecIntel\">X (formerly Twitter)<\/a>, and <a href=\"https:\/\/bsky.app\/profile\/threatintel.microsoft.com\">Bluesky<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the <a href=\"https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\">Microsoft Threat Intelligence podcast<\/a>.<\/p>\n<p> READ MORE <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/12\/09\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Shai\u2011Hulud&#160;2.0 supply chain attack represents one of the most significant cloud-native ecosystem compromises observed recently. Attackers maliciously modified hundreds of publicly available packages, targeting developer environments, continuous integration and continuous delivery (CI\/CD) pipelines, and cloud-connected workloads to harvest credentials and configuration secrets. The Shai\u2011Hulud&#160;2.<br \/>\nThe post Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[],"class_list":["post-59817","post","type-post","status-publish","format-standard","hentry","category-microsoft-secure"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-09T21:41:32+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"432\" \/>\n\t<meta property=\"og:image:height\" content=\"435\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack\",\"datePublished\":\"2025-12-09T21:41:32+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\\\/\"},\"wordCount\":1607,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/12\\\/Shai-Hulud-2-attack-chain.webp\",\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\\\/\",\"name\":\"Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/12\\\/Shai-Hulud-2-attack-chain.webp\",\"datePublished\":\"2025-12-09T21:41:32+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/12\\\/Shai-Hulud-2-attack-chain.webp\",\"contentUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/12\\\/Shai-Hulud-2-attack-chain.webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/","og_locale":"en_US","og_type":"article","og_title":"Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2025-12-09T21:41:32+00:00","og_image":[{"width":432,"height":435,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack","datePublished":"2025-12-09T21:41:32+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/"},"wordCount":1607,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Shai-Hulud-2-attack-chain.webp","articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/","url":"https:\/\/www.threatshub.org\/blog\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/","name":"Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Shai-Hulud-2-attack-chain.webp","datePublished":"2025-12-09T21:41:32+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Shai-Hulud-2-attack-chain.webp","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Shai-Hulud-2-attack-chain.webp"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59817","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=59817"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59817\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=59817"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=59817"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=59817"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}