A sophisticated and ongoing malware campaign known as Shai-Hulud has expanded its reach to target developers working with cloud and serverless infrastructure. Security researchers at JFrog Security Research have identified a new wave of malicious npm packages carrying the Hades malware family, this time infiltrating the Leo/RStreams ecosystem — a widely used set of libraries for AWS-native event streaming and data pipeline development. The malicious packages recorded approximately 45,000 downloads in a single month, suggesting thousands of developers may already be affected without being aware of it.
Why the Leo/RStreams Ecosystem Is a High-Value Target
The Leo/RStreams libraries are deeply embedded in AWS-native cloud development workflows, wrapping core AWS services including Kinesis, S3, Lambda, and DynamoDB. Any developer installing these packages is highly likely to be operating in an environment rich with cloud credentials, deployment tokens, and production access keys. This positioning dramatically amplifies the blast radius of a single compromise — one infected developer workstation can expose team repositories, CI/CD pipelines, cloud production environments, and interconnected services across entire engineering organizations.
Rather than building new malware from scratch, the attackers recycle a proven credential-theft payload and redirect it at new, trusted package ecosystems. JFrog researcher Yair Benamou described the current wave as “another turn of the same campaign — same credential theft machinery but fresh targets and updated markers.”
How the Malware Evades Detection
The Shai-Hulud payload uses a clever delivery mechanism designed to bypass standard security scanners. Instead of embedding malicious code in the postinstall scripts that most security tools monitor, the attacker hides execution inside a file called binding.gyp. When npm encounters a package with this file and no explicit install script, it automatically invokes node-gyp, which processes shell commands embedded within the file. This provides a code execution vector at install time while staying below the radar of conventional detection approaches.
What Credentials Are Stolen?
Once executing, the payload performs a systematic sweep of the developer’s machine, targeting GitHub CLI tokens and personal access tokens, npm and PyPI publishing credentials, AWS access keys and session tokens, JFrog Artifactory and other registry tokens, SSH private keys, environment variables containing secrets, and CI/CD pipeline secrets and workflow configurations. Stolen data is packaged into encrypted files and exfiltrated via a technique known as a GitHub dead drop: the payload creates repositories under a stolen GitHub token and commits the credential data there, effectively using GitHub’s own infrastructure as an exfiltration channel.
Persistence and Lateral Movement
The infection does not end at the initial credential theft. Shai-Hulud plants multiple persistence mechanisms, including a systemd service on Linux or a LaunchAgent on macOS to survive reboots. The malware hooks into AI development tools by modifying configuration files for Cursor, GitHub Copilot, and Gemini — injecting malicious instructions into the AI coding assistant context. SSH keys found on the compromised machine are used to attempt lateral movement into other servers the developer accesses. The payload also injects itself into GitHub Actions workflows to dump pipeline secrets at CI/CD execution time. A single infected install on one machine could ripple outward into team repositories, cloud accounts, and production pipelines.
Indicators of Compromise
Malicious package versions identified in this campaign include leo-auth v4.0.6, leo-aws v2.0.4, leo-cache v1.0.2, leo-cdk-lib v0.0.2, leo-cli v3.0.3, leo-config v1.1.1, leo-connector-elasticsearch v2.0.6, leo-connector-mongo v3.0.8, leo-connector-mysql v3.0.3, leo-sdk v6.0.19, rstreams-metrics v2.0.2, serverless-convention v2.0.4, and serverless-leo v3.0.14 among others. Persistence artifacts to look for on compromised systems include ~/.config/gh-token-monitor/, ~/.local/bin/gh-token-monitor.sh, and AI tool hooks under .cursor/rules/setup.mdc, .gemini/settings.json, and .github/copilot-instructions.md.
Recommended Response
JFrog recommends that any developer who installed affected package versions isolate the affected machine and CI runners before rotating any credentials. All persistence artifacts must be removed first to prevent re-exfiltration during remediation. After cleanup, organizations should rotate all GitHub tokens, npm credentials, AWS access keys, SSH keys, Docker credentials, and package registry tokens. GitHub and npm accounts should also be audited for unexpected repositories, unauthorized package releases, or suspicious workflow changes that may indicate credentials were already leveraged by the attacker.