A new wave of malicious npm packages is targeting developers working with cloud and serverless infrastructures. This threat, known as the Shai-Hulud payload carrying the Hades malware family, has now expanded its reach to the Leo/RStreams ecosystem—a set of libraries widely used for AWS-native event streaming and data pipelines. Security teams are raising alarms as the attack quietly steals sensitive developer credentials upon package installation.
When a developer installs one of the affected packages, the payload activates, collecting credentials stored across various locations, including files, environment variables, shell history, GitHub CLI tokens, cloud access keys, and CI/CD pipeline secrets. Operating silently in the background, it transmits the harvested data to attacker-controlled GitHub repositories.
The scale of exposure is significant. The affected packages recorded approximately 45,000 downloads in a single month, indicating that thousands of developers may have been compromised without their knowledge. Analysts at JFrog Security Research identified this new wave and published their findings in a report. Researcher Yair Benamou noted that this is not an entirely new threat but a continuation of the same campaign, utilizing the same credential theft mechanisms but targeting new victims with updated markers.
The Leo/RStreams libraries are central to cloud-native development workflows, wrapping AWS services like Kinesis, S3, Lambda, and DynamoDB. Consequently, any developer installing these tools is likely operating in an environment rich with cloud credentials and deployment tokens. This positioning means that a single compromised installation can expose far more than just one developer’s workstation.
This latest wave confirms that the Shai-Hulud operation remains active and continues to evolve. Rather than developing new malware from scratch, the attackers are recycling a proven payload and directing it at new, trusted package families. Defenders relying solely on old campaign names or outdated signatures are at risk of missing these threats entirely.
The malicious packages employ a clever delivery method to evade basic security scanners. Instead of embedding harmful code within the standard npm install scripts that most tools inspect, the attacker conceals execution inside a file named binding.gyp. When npm encounters a package with this file and no explicit install script, it automatically runs node-gyp, which processes shell commands embedded within that file. This technique allows the attacker to execute code during installation while remaining undetected.
Once activated, the payload collects credentials from a wide range of sources on the developer’s machine. It targets GitHub tokens, npm and PyPI publishing credentials, AWS access keys, JFrog and Artifactory tokens, and SSH keys. The stolen data is then packaged into encrypted files and exfiltrated by creating repositories under a stolen GitHub token and committing the results.
In light of these developments, developers and organizations must exercise heightened vigilance when managing dependencies. Regularly auditing installed packages, monitoring for unusual repository activity, and implementing robust credential management practices are essential steps to mitigate the risks posed by such sophisticated supply chain attacks.
