1 comment

[ 3.0 ms ] story [ 9.9 ms ] thread
While the campaign was catalyzed by the recently open-sourced Shai Hulud framework (thanks teampcp...), the access itself came from compromised credentials from accounts that should have been revoked. By cross-referencing the usernames pushing the malware against Hudson Rock's database, we discovered that over 33% were exact matches to computers infected by infostealers. Upon deeper manual investigation, we realized that number is actually closer to 100%. (h/t OX Security & SafeDep)

Attackers are logging into these active accounts, exploiting GitHub Actions, and injecting payloads to drain AWS keys, GCP OAuth tokens, and SSH keys straight from CI/CD workflows.