---
title: "Detecting SHA1-Hulud: the logs must flow"
page_name: "Detecting SHA1-Hulud: the logs must flow"
type: "blog"
slug: "detect-sha1-hulud"
published_at: "2025-11-26"
modified_at: "2025-12-16"
url: "https://www.sumologic.com/blog/detect-sha1-hulud"
canonical: "https://www.sumologic.com/blog/detect-sha1-hulud"
markdown_url: "https://www.sumologic.com/blog/detect-sha1-hulud.md"
lang: "en"
excerpt: "The Sha1-Hulud worm spreads rapidly, which is why you need systems in place to detect attacks like these. Follow these steps to find the worm in your logs."
taxonomy_blog_category:
  - "Cloud SIEM"
  - "SecOps & Security"
---

[ All blogs ](https://www.sumologic.com/blog "blog")[Cloud SIEM](https://www.sumologic.com/blog/cloud-siem), [SecOps & Security](https://www.sumologic.com/blog/secops-security)

# Detecting SHA1-Hulud: the logs must flow

[Daniel Kaiser](#blog-author-block-332)

November 26, 2025

5 min read 

[Cloud SIEM](https://www.sumologic.com/blog/cloud-siem), [SecOps & Security](https://www.sumologic.com/blog/secops-security)

##### Table of contents

 

 

 

Sha1-Hulud has burrowed back into our lives, spreading rapidly and causing more destruction than ever. Named after the famous worm from the Dune franchise, this attack is also impacting global organizations. Since its first widescale spread on September 16, 2025, this worm has demonstrated its ability to propagate rapidly with high impact using the following techniques:

- Exploit the compromised GitHub credentials of npm package developers to weaponize popular npm packages. As of this writing, there are [approximately 800 infected packages reported](https://github.com/wiz-sec-public/wiz-research-iocs/blob/main/reports/shai-hulud-2-packages.csv), many of them widely used.
- Once the compromised npm packages are downloaded and installed, harvest credentials for GitHub, NPM package repositories and cloud providers such as AWS and Azure.
- Publish harvested credentials on public GitHub repositories. As of this writing, [over 25,000 such repositories have been created](https://www.linkedin.com/pulse/sha1-hulud-supply-chain-nightmare-shook-npm-ecosystem-again-gvnuc/).
- Employ the harvested credentials to compromise more NPM packages.

This variant includes some new behavior, including:

1. Deleting data in the home directory of the machine if no useful credentials are harvested
2. Using GitHub repository discussions to execute C2 commands on a compromised host, using a self-hosted GitHub actions runner for the code execution.
3. Using a new naming convention for the git repository containing exfiltrated credentials: a random string, such as “aoy7angy5kwcq64fb7” for the name and different descriptions including “Sha1-Hulud: The Second Coming”

## Detection opportunities and required logs

There are various opportunities for the detection of SHA1-Hulud provided you are collecting logs from the appropriate vantage points:

### GitHub

GitHub Enterprise Audit logging is essential. Detection opportunities include:

1. Creation of a new public repo named with a random string, with description “Sha1-Hulud: The Second Coming”
2. Registration of a self-hosted runner with the name “SHA1HULUD”
3. Creation of GitHub Actions workflow that interacts with or uses GitHub Discussions

### The endpoint

Log sources key to detection on the endpoint include file and process monitoring (process monitoring should include command-line auditing). Detection opportunities include:

1. Process activity showing the execution of setup\_bun.js preinstall script
2. File activity indicating downloading or installation of compromised NPM packages 
    - Lists of compromised packages can be found [here](https://github.com/wiz-sec-public/wiz-research-iocs/blob/main/reports/shai-hulud-2-packages.csv) and [here](https://stepsecurity-public-media.s3.us-west-2.amazonaws.com/website/blog/Sha1-Hulud-The-Second-Coming.html)
3. Rapid deletion of files in the user’s home directory on the affected machine
4. Process activity installation of a local runner for github actions

### Cloud providers

Key log sources include AWS CloudTrail logs and Microsoft Entra ID logs. The primary detection opportunity with cloud logs is detecting the harvesting of cloud credentials using tools such as Trufflehog.

Note that analysis of the SHA1-Hulud malware is ongoing, and you’re encouraged to revisit the malware analysis references for new information.

Let’s explore some of the detection opportunities.

## Relevant queries and built-in rules for Sumo Logic Cloud SIEM customers

### GitHub-focused

These detections are focused on GitHub activity and require GitHub Enterprise Audit logging. Refer to [the Sumo Logic documentation](https://help.sumologic.com/docs/integrations/app-development/github/#collecting-logs-for-github) for instructions on ingesting GitHub Enterprise Audit logs.

###### Technique: Exfiltrated secrets are uploaded to a new public repo named after a random string, with description “Sha1-Hulud: The Second Coming”

Per [Step Security’s analysis](https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised), SHA1\_Hulud “fingerprints the host, scavenges cloud vaults, and scans for secrets—all exfiltrated as JSON blobs to a new public repo named after a random UUID, with description “Sha1-Hulud: The Second Coming””

###### Query: Find repository created for exfiltrated credentials

This query will return new git repositories created over the time period specified. As mentioned above, the name of the repository will be a random string such as “aoy7angy5kwcq64fb7” and its description could be “Sha1-Hulud: The Second Coming.” Ideally, we could search for the description, but the [GitHub create-repo.create logs](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events#repo) do not include the repository description. You will need to scan the output for repository names that are random strings, perhaps refining your search for repositories with names of 18 or more characters.

```
_index=sec_record_audit metadata_product="GitHub Enterprise Audit" normalizedAction="create"
| where metadata_deviceEventId = "create-repo.create"
| count by user_username, repository 
```

###### Technique: New self-hosted runner named ‘SHA1HULUD’ created on compromised host to execute C2 commands

[wiz.io’s analysis](https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack) reports that SHA1-Hulud “registers the infected machine as a self-hosted runner named ‘SHA1HULUD’”.

###### Query: Review self-hosted runner registration

This query will return self-hosted runners registered within the specified time period. As with the create repo query above, the GitHub logs are missing one useful piece of information: the name of the runner. So, you will need to scan the repository, user names and other metadata such as user agent strings for unusual activity.

```
_index=sec_record_audit metadata_product="GitHub Enterprise Audit"
| where metadata_deviceEventId = "create-repo.register_self_hosted_runner"
| count by repository, user_username
```

### Endpoint-focused

###### Technique: Malware installation via the npm preinstall script

As StepSecurity explains in their writeup, compromised npm packages install SHA1-Hulud on the victim machine via a preinstall script: “The attack begins the moment npm install the package, triggered by this entry in package.json:

```
{
  "scripts": {
    "preinstall": "node setup_bun.js"
  }
}
```

###### Query: Command Line of SHA1-Hulud Preinstall script

The following query will search for process creation records matching the command line of the SHA1-Hulud preinstall script:

```
_index=sec_record_endpoint action="ProcessCreate"
| where commandLine matches /node\s+setup_bun\.js/
```

###### Technique: Writable files deleted from the user’s home directory

Per [Koi’s writeup](https://www.koi.ai/incident/live-updates-sha1-hulud-the-second-coming-hundred-npm-packages-compromised), “if the malware fails to authenticate or establish persistence, it attempts to destroy the victim’s entire home directory. Specifically, the malware deletes every writable file owned by the current user under their home folder.”

###### Query: Count of file deletions from users’ home directories (Windows)

The following query will search for Microsoft Sysmon logs with event ID 23 or 26 (file delete events) with the file deletion occurring in the user’s home directory:

```
_index=sec_record_endpoint
| where metadata_deviceeventId = "Microsoft-Windows-Sysmon/Operational-23" or metadata_deviceeventid = "Microsoft-Windows-Sysmon/Operational-26"
| where changetarget matches /C:\\Users.*/
| count by device_hostname
```

Note: Ideally, file activity of interest is detected with filesystem monitoring via log sources such as [Microsoft Sysmon](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon) (event ID 23) or [Microsoft Object Access Auditing](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-file-system) (event ID [4600](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4660) and [4663](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4663)). However, we have to ensure that the directories of interest are configured for auditing. In other words, it is difficult to ensure that all file activity is being logged. We may need to depend on other log source types. In this case, we will search for the command line noted in Koi’s writeup:

###### Query: Command lines indicating file deletion from the home directory (Windows)

The following query will search for process creation records with a command line matching (via regex) a known command line used by SHA1-Hulud:

```
_index=sec_record_endpoint action="ProcessCreate"
| where commandLine matches /del\s+\/F\s+\/Q\s+\/S\s+C:\\Users/
```

### Cloud-focused

###### Technique: Use of Trufflehog to harvest cloud credentials

Per [Aikido](https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains), “It then uses an automated tool (TruffleHog) to search for sensitive information like passwords, API keys, cloud tokens, and GitHub or NPM credentials.”

###### Rules: Sumo Logic rules detecting Trufflehog use and cloud secret enumeration

Sumo Logic provides several SIEM rules to detect the harvesting of secrets, including the use of Trufflehog. Examples include:

– Trufflehog AWS Credential Verification Detected: MATCH-S00925

– First Seen IP Address Performing Trufflehog AWS Credential Verification: FIRST-S00086

– AWS CloudTrail – GetSecretValue from non Amazon IP: MATCH-S00246

– AWS Secrets Manager Enumeration: MATCH-S00825

## Recommended mitigation and remediation steps

Multiple articles referenced here, such as those by Panther Labs, StepSecurity and Akido contained detailed remediation guidance such as the rotation of secret keys, deleting of the self-hosted runner, auditing npm package use, reviewing CI/CD logs and reviewing repository creation.

## Final thoughts

The SHA1-Hulud attack is yet another example of the criticality of comprehensive logging, which spans the various technologies in use in your organization, including not only the endpoints but also your CI/CD pipeline and cloud presence. Comprehensive logging helps you take advantage of detection rules best-suited to the vantage point of the log source and provides you with the best chance of detecting complex attacks early.

[Learn more about Cloud SIEM](https://www.sumologic.com/request-demo)

### Article Tags

- [Cloud SIEM](https://www.sumologic.com/blog/cloud-siem)
- [SecOps & Security](https://www.sumologic.com/blog/secops-security)

Daniel Kaiser

Senior Threat Research Engineer

Dan has over a decade of experience in cybersecurity, focusing on threat research, detection engineering, SIEM troubleshooting and capture-the-flag challenge development. As a detection engineer, he has developed high-quality analytics content centered on User and Entity Behavior Analytics, Network Detection and Response and the MITRE ATT&CK framework. Dan has published multiple blogs and delivered presentations for SANS, LogRhythm, Ultimate Windows Security and BrightTALK. Dan lives in Lakewood, Colorado, with his wife and dog. He enjoys running, snowboarding and cycling.

[](https://www.sumologic.com/feed "RSS Feed")[](https://twitter.com/intent/tweet?text=Detecting%20SHA1-Hulud%3A%20the%20logs%20must%20flow&url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fdetect-sha1-hulud "X")[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fdetect-sha1-hulud "Facebook")[](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fdetect-sha1-hulud "Linkedin")

[Previous blog

You can’t secure what you can’t see: Why AgentCore logs matter](https://www.sumologic.com/blog/why-aws-agentcore-logs-matter)[Next blog

New agents in the Dojo: Expanded Sumo Logic Dojo AI](https://www.sumologic.com/blog/agents-dojo-ai-soc-analyst-mcp)

People who read this also enjoyed

[  

Before you replace your SIEM: AI-driven security requires operational context, not just centralized data

May 21, 2026

 

 ](https://www.sumologic.com/blog/before-you-replace-your-siem)[  

Closing the AI compliance and visibility gap: Integrate the Claude Compliance API with Sumo Logic

May 21, 2026

 

 ](https://www.sumologic.com/blog/sumo-logic-claude-compliance-api-integration)[  

How to secure cloud workloads without building a full-scale SOC

April 30, 2026

 

 ](https://www.sumologic.com/blog/secure-cloud-workloads-with-limited-resources)[  

Observability is security (We just pretended it wasn’t)

April 28, 2026

 ](https://www.sumologic.com/blog/observability-is-security)

[AI Instructions](https://www.sumologic.com/ai-instructions.md)