The malware continuously monitors its access to GitHub (for exfiltration) and npm (for propagation). If an infected system loses access to both channels simultaneously, it triggers immediate data destruction on the compromised machine. On Windows, it attempts to delete all user files and overwrite disk sectors. On Unix systems, it uses shred to overwrite files before deletion, making recovery nearly impossible.
shred is intended to overwrite the actual on-disk contents by overwriting data in the file prior to unlinking the files. However, shred isn’t as effective on journalled filesystems, because writing in this fashion doesn’t overwrite the contents on-disk like this. Normally, ext3, ext4, and btrfs are journalled. Most people are not running ext2 in 2025, save maybe on their /boot partition, if they have that as a separate partition.
Spellbind0127@infosec.pub
on 11 Dec 18:49
nextcollapse
threaded - newest
Cool! Now consider all the others they haven’t found yet
the ones that scare me are apt and pacman and the others
Those aren’t insane to audit. It’s the libraries everyone uses
shredis intended to overwrite the actual on-disk contents by overwriting data in the file prior to unlinking the files. However,shredisn’t as effective on journalled filesystems, because writing in this fashion doesn’t overwrite the contents on-disk like this. Normally, ext3, ext4, and btrfs are journalled. Most people are not running ext2 in 2025, save maybe on their/bootpartition, if they have that as a separate partition.this is an insane attack
Is this different from Shai Hulud 2?
Edit: the article was published November 24, so I’m pretty sure this is just Shai Hulud 2