CyberSec.ma and Our Shai-Hulud 2.0 Research

I am Abdessamad, part of the research team and a member of CyberSec.ma, a non-profit volunteer cybersecurity community. One of the things I value most in this community is that we try to keep our work practical: not just commenting on incidents, but taking time to study them properly and produce something useful for others.

For the Shai-Hulud 2.0 campaign, we went beyond reading public reports. We reproduced parts of the attack chain in the lab, looked at how the malware abused the npm installation flow, the use of Bun, GitHub-based command and control, and the way secrets and access could be exposed through compromised developer environments. That helped us understand both the technical behavior and the real operational impact.

The second part of the work was intelligence and community support. We used OSINT and the traces left by the campaign to help identify potentially impacted GitHub users and repositories, then published a free checker through CyberSec.ma so people could quickly verify whether they appeared in the known dataset. That community-facing output was the most important part for us: turning analysis into something directly useful.

The full original writeup is available on CyberSec.ma, and the related checker is part of the public intelligence section. Special thanks to Adnane and Karim for the collaboration and the work behind this research.