Shai-HuludWormTurnsTokenRotationIntoaWipeTrigger

◆ DEEP DIVES

1. 01

   Your IR Runbook Is Now a Weapon: Shai-Hulud's Dead-Man Switch and Editor-Config Persistence

   The Escalation

   On Wednesday, Shai-Hulud was a credential-theft worm. On Thursday, the new variant ships a destructive-response component. It embeds a gh-token-monitor process that watches for token revocation events, and when a defender rotates a compromised GitHub, npm, or cloud token, the host is wiped. Revocation is the trigger for destruction; that is a design choice in the implant, not a side effect.

   Multiple sources independently confirm the behavior and warn that blanket revocation against an infected runner destroys the runner. The revised IR order is isolate → snapshot → enumerate persistence → remove persistence → only then rotate tokens.

   ---

   Persistence That Survives Uninstall

   Removing the malicious npm or PyPI package does not remediate the compromise. The implant writes to three agent-config paths:

   • .claude/settings.json — re-executes attacker config on every Claude Code launch
   • .vscode/tasks.json — re-executes on every VS Code session
   • .cursor/* — equivalent for Cursor users

   These paths sit outside SCA tool scope. npm audit returns clean. Dependabot sees nothing. The host stays compromised through the AI developer tooling engineers run daily, and every IDE launch re-executes attacker-controlled configuration with access to LLM API keys, GitHub PATs, cloud CLI tokens, and production kubeconfigs.

   ---

   Cross-Source Corroboration

   Seven independent sources reported the evolution today. The confirmed blast radius:

   Ecosystem	Affected Packages	Notable Victims
   npm	400+ (84 malicious TanStack versions, 42 scoped packages)	Mistral AI, UiPath, TanStack
   RubyGems (GemStuffer)	150+ gems	UK Council Portal data exfiltrated
   PyPI	5+ confirmed	Guardrails AI (0.10.1), OpenSearch

   The TanStack kill chain was CI-native: pull_request_target abuse, GitHub Actions cache poisoning, OIDC token extraction from Runner.Worker memory, exfil via Session/Oxen, and P2P C2 via the GitHub commit-search index. npm 2FA is bypassed entirely.

   The attacker has weaponized the defender's revocation response. The incident-response playbook itself is now part of the kill chain.

   ---

   Detection Engineering for the Persistence Layer

   File-integrity monitoring on agent config paths catches what SCA cannot:

   • Alert on any write to .claude/settings.json, .vscode/tasks.json, .cursor/* outside known-good provisioning flows
   • Hunt for outbound Session/Oxen traffic from CI workers
   • Look for unexpected commits to org repos, which is the P2P beacon signal
   • Baseline lockfile diffs since May 11 across all repositories

   Action items

   • Rewrite IR runbook for Shai-Hulud-class threats: isolate → snapshot → enumerate persistence → remove persistence → then rotate. Push to all on-call engineers and tabletop today
   • Deploy FIM rules on .claude/settings.json, .vscode/tasks.json, and .cursor/* across all developer endpoints within 48 hours
   • Freeze npm and RubyGems dependency updates enterprise-wide; audit all installs between May 11 and today against known-malicious package lists from Aikido, Endor, JFrog, and Socket
   • Purge GitHub Actions caches and npm caches on all build agents; rotate AWS, GCP, Kubernetes, Vault, GitHub, and SSH credentials on any host that ran npm install against affected versions

   Sources:Risky.Biz · TLDR InfoSec · TLDR IT · AI Breakfast · CSO Security Leadership · AINews

2. 02

   GhostLock: The Ransomware Class EDR Was Not Built to See

   What It Is

   GhostLock holds files hostage without encrypting them and without dropping a binary. It runs from low-privilege domain accounts, the kind every enterprise provisions by the thousand. The mechanism is native Windows file-handle APIs plus SMB oplock behavior. Files are locked out of reach of legitimate users while remaining bit-for-bit unmodified on disk.

   The detail that matters: EDR telemetry on reported cases is empty. No disk writes. No cryptographic operations. No process injection. No known-bad hash. The endpoint agent sees a domain user opening files, which is the definition of normal.

   ---

   Why This Is a Re-Pricing Event

   For five years, EDR has been the load-bearing control in enterprise security architectures. Board decks cite it as the ransomware mitigation. GhostLock is a category-level bypass. No new exploit. No privilege escalation. No zero-day. It requires only what a domain user already has: the ability to open a file.

   The approach is philosophically different from conventional ransomware:

   Dimension	Traditional Ransomware	GhostLock
   Privilege required	Admin/SYSTEM for full encryption	Standard domain user
   Binary on disk	Yes — encryptor dropped	No — lives in API calls
   File modification	Yes — contents replaced/encrypted	No — files locked via handles/oplocks
   EDR signal	File modification, crypto API calls, process tree	None observed
   Backup recovery	Effective (if backups clean)	Effective — but victim doesn't know files are intact

   A ransomware family that routinely slips past EDR is not a novelty item. It is a re-pricing event for every board deck that lists EDR as the mitigation.

   ---

   Detection Hypotheses

   Signature-based EDR will not help. The detection path is behavioral:

   • File-handle acquisition anomalies: a single low-privilege account opening hundreds or thousands of file handles in a short window
   • SMB oplock patterns: unusual oplock break behavior on file shares, specifically batch oplocks held without corresponding read or write operations
   • Domain account behavior: a domain user touching many files across multiple shares with no legitimate process tree behind the access
   • File accessibility monitoring: canary files that alert when they cannot be opened, not when they are modified

   None of these ship in vendor default rulesets. They require custom detection engineering written against hypotheses about the specific Windows API behavior being abused. Plan accordingly.

   Action items

   • Build detection engineering hypotheses for GhostLock: query for accounts opening >500 file handles in <60 seconds, SMB oplock anomalies on shares, and low-priv accounts touching file shares without process trees — deliver initial rules within 2-3 weeks
   • Deploy file-accessibility canary files on critical shares (finance, HR, exec, engineering) that alert when they cannot be opened — not when they are modified
   • Review and update board risk documentation: EDR is no longer a sufficient standalone control for ransomware. Present GhostLock as the evidence and request budget for behavioral detection engineering

   Sources:Risky.Biz · TLDR InfoSec

3. 03

   Patch Tuesday's Hidden Payload: Netlogon and DNS RCE Demand Accelerated Deployment

   The Numbers

   Microsoft's May 2026 Patch Tuesday shipped 138 CVEs, 30 Critical. That is the heaviest month of the year. Composition matters more than the count. Two bugs sit on authentication and resolution paths enterprises cannot run without:

   • Netlogon RCE. Same class as Zerologon (CVE-2020-1472), which became one of the most weaponized bugs of the decade. Protocol-level RCE against domain controllers.
   • DNS RCE. Echoes SIGRed (CVE-2020-1350), wormable by design. Windows DNS servers, often co-located with domain controllers.

   Neither is under active exploitation as of today. Historically, Netlogon and DNS-class bugs moved from disclosure to mass exploitation in 7 to 30 days. Zero of 138 are currently exploited. The 7-to-30-day window is the planning horizon, not a reassurance.

   ---

   Nightmare Eclipse Makes It Worse

   The actor tracked as Nightmare Eclipse dropped two zero-days within hours of Patch Tuesday. The monthly pattern continues:

   Zero-Day	Impact	Status
   GreenPlasma	Local privilege escalation	No patch yet; monitor for OOB advisory
   YellowKey	BitLocker bypass	No patch yet; validate Credential Guard

   The Nightmare Eclipse cadence is deliberate. Exploits drop while defender attention is on the patch queue. The timing is tactical.

   ---

   Beyond Microsoft: Exim and the Multi-Vendor Queue

   CVE-2026-45185 (Dead.Letter) is an unauthenticated RCE in Exim's GnuTLS builds. Exim's install base on internet-facing mail infrastructure is large, and the bug is configuration-specific. Debian/Ubuntu defaults ship GnuTLS (vulnerable). RHEL-family uses OpenSSL (likely unaffected). Run exim -bV | grep GnuTLS to scope in under an hour. Historically, Exim flaws went from disclosure to mass scanning in under two weeks. Sandworm exploited CVE-2019-10149 at scale.

   The full vendor queue also includes patches from Adobe, Apple, Fortinet, Ivanti, Palo Alto, and Juniper. SAP S/4HANA and Dynamics 365 on-prem RCE add ERP-layer urgency.

   The interesting number in a Patch Tuesday is never the total. It is how many sit on the authentication path. This month, two of the biggest do.

   Action items

   • Deploy Netlogon and DNS RCE patches to all domain controllers and DNS servers on accelerated 7-day cycle — do not use standard 30-day soak period
   • Patch all GnuTLS-linked Exim instances within 72 hours; disable BDAT as interim mitigation where patching is delayed. Scope with `exim -bV | grep GnuTLS`
   • Validate Credential Guard and BitLocker attestation on all managed laptops in preparation for YellowKey (BitLocker bypass); monitor for Microsoft out-of-band advisory on GreenPlasma and YellowKey
   • Add post-patch verification scans as a mandatory gate before closing Critical CVE tickets — at minimum for the Netlogon, DNS, and Exim patches

   Sources:Risky.Biz · TLDR InfoSec · The Hacker News · CSO Security Leadership