The malware continuously monitors its access to GitHub (for exfiltration) and npm (for propagation). If an infected system loses access to both channels simultaneously, it triggers immediate data destruction on the compromised machine. On Windows, it attempts to delete all user files and overwrite disk sectors. On Unix systems, it uses shred to overwrite files before deletion, making recovery nearly impossible.
shred is intended to overwrite the actual on-disk contents by overwriting data in the file prior to unlinking the files. However, shred isn’t as effective on journalled filesystems, because writing in this fashion doesn’t overwrite the contents on-disk like this. Normally, ext3, ext4, and btrfs are journalled. Most people are not running ext2 in 2025, save maybe on their /boot partition, if they have that as a separate partition.
I don’t think journaled file systems fare any better. You’re probably thinking COW (copy on write) systems like zfs and btrfs, but I don’t see how journaling helps with overwrite recovery at all.
It looks like I was wrong about it being the default journaling mode for ext3; the default is apparently to journal only metadata. However, if you’re journaling data, it gets pushed out to the disk in a new location rather than on top of where the previous data existed.
CAUTION: Note that shred relies on a very important assumption: that the file system overwrites data in place. This is the traditional way to do things, but many modern file system designs do not satisfy this assumption. The following are examples of file systems on which shred is not effective, or is not guaranteed to be effective in all file system modes:
log-structured or journaled file systems, such as those supplied with AIX and Solaris (and JFS, ReiserFS, XFS, Ext3, etc.)
file systems that write redundant data and carry on even if some writes fail, such as RAID-based file systems
file systems that make snapshots, such as Network Appliance’s NFS server
file systems that cache in temporary locations, such as NFS version 3 clients
compressed file systems
In the case of ext3 file systems, the above disclaimer applies (and shred is thus of limited effectiveness) only in data=journal mode, which journals file data in addition to just metadata. In both the data=ordered (default) and data=writeback modes, shred works as usual. Ext3 journaling modes can be changed by adding the data=something option to the mount options for a particular file system in the /etc/fstab file, as documented in the mount man page (man mount).
Spellbind0127@infosec.pub
on 11 Dec 2025 18:49
nextcollapse
this is an insane attack
Lightfire228@pawb.social
on 11 Dec 2025 19:01
collapse
Is this different from Shai Hulud 2?
Edit: the article was published November 24, so I’m pretty sure this is just Shai Hulud 2
threaded - newest
Cool! Now consider all the others they haven’t found yet
the ones that scare me are apt and pacman and the others
Those aren’t insane to audit. It’s the libraries everyone uses
shredis intended to overwrite the actual on-disk contents by overwriting data in the file prior to unlinking the files. However,shredisn’t as effective on journalled filesystems, because writing in this fashion doesn’t overwrite the contents on-disk like this. Normally, ext3, ext4, and btrfs are journalled. Most people are not running ext2 in 2025, save maybe on their/bootpartition, if they have that as a separate partition.I don’t think journaled file systems fare any better. You’re probably thinking COW (copy on write) systems like zfs and btrfs, but I don’t see how journaling helps with overwrite recovery at all.
It looks like I was wrong about it being the default journaling mode for ext3; the default is apparently to journal only metadata. However, if you’re journaling data, it gets pushed out to the disk in a new location rather than on top of where the previous data existed.
linux.die.net/man/1/shred
this is an insane attack
Is this different from Shai Hulud 2?
Edit: the article was published November 24, so I’m pretty sure this is just Shai Hulud 2