F5 Threat Report - November 26th, 2025

Shai-Hulud 2.0 npm Supply Chain Attack Steals Credentials

A new npm supply-chain campaign, dubbed Shai-Hulud 2.0, has compromised numerous popular packages, including those from Zapier, ENS Domains, PostHog, and Postman, by leveraging compromised maintainer accounts to publish trojanized versions. This variant executes malicious code during the `preinstall` phase, leading to credential theft and exfiltration of developer and CI/CD secrets to GitHub repositories named "Shai-Hulud." The attack, observed between November 21-23, 2025, creates files like `cloud.json`, `contents.json`, `environment.json`, `truffleSecrets.json`, and attempts to create `discussion.yaml`. Key indicators of compromise include specific package versions (e.g., `@zapier/zapier-sdk` 0.15.5-0.15.7, `@ensdomains/ens-validation` 0.1.1, `@posthog/agent` 1.24.1), the presence of `pre-install` scripts, a GitHub Actions workflow named `shai-hulud-workflow.yml`, access to cloud metadata endpoints, outbound connections to `webhook[.]site`, and `data.json` files containing encoded secrets. Immediate actions recommended include removing and replacing compromised packages, clearing npm cache, pinning dependencies to known clean versions or rolling back to pre-November 21, 2025 builds, revoking and regenerating npm tokens, GitHub PATs, SSH keys, and cloud provider credentials, enforcing phishing-resistant MFA, searching for "Shai-Hulud" repositories, reviewing for unauthorized workflows, monitoring new npm publishes, restricting or disabling lifecycle scripts in CI/CD, limiting outbound network access, and using short-lived, scoped automation tokens.

Severity: Critical

Sources

• https://cyberinsider.com/second-wave-of-shai-hulud-npm-malware-hits-zapier-ens-domains/
• https://financefeeds.com/shai-hulud-malware-hits-400-javascript-packages-in-major-npm-supply-chain-attack/
• https://gbhackers.com/zapiers-npm-account-hacked-multiple-packages-infected/
• https://hackread.com/shai-hulud-npm-worm-supply-chain-attack/
• https://securitylabs.datadoghq.com/articles/supply-chain-attacks-runtime-security-detection/
• https://thehackernews.com/2025/11/second-sha1-hulud-wave-affects-25000.html
• https://www.bitcoininsider.org/article/293565/shai-hulud-malware-hits-npm-crypto-libraries-face-growing-security-crisis
• https://www.bleepingcomputer.com/news/security/shai-hulud-malware-infects-500-npm-packages-leaks-secrets-on-github/
• https://www.hendryadrian.com/shai-hulud-npm-attack-what-you-need-to-know/
• https://www.theregister.com/2025/11/24/shai_hulud_npm_worm/
• https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack

Threat Details and IOCs

Mitigation Advice

• Scan all development and CI/CD environments for the specific compromised npm packages and versions listed in the article.
• If any compromised npm packages are found, remove them, clear the npm cache, and delete the `node_modules` directory from the affected project.
• Block all outbound network connections from build servers and developer workstations to `webhook[.]site` at the network firewall.
• Search all company-managed GitHub organizations for newly created repositories containing "Shai-Hulud" in the title or description.
• Scan all GitHub repositories for the presence of a workflow file named `shai-hulud-workflow.yml`.
• Immediately revoke and regenerate all npm tokens, GitHub Personal Access Tokens (PATs), and SSH keys used in development and CI/CD environments.
• Immediately revoke and regenerate all cloud provider credentials, such as AWS IAM roles or GCP service account keys, accessible from CI/CD environments.

Compliance Best Practices

• Implement and enforce a strict policy for all development projects to pin npm package dependencies to specific, audited versions using a lock file.
• Update CI/CD pipeline configurations to disable or restrict the execution of npm lifecycle scripts, such as `preinstall` and `postinstall`, by default.
• Enforce the use of phishing-resistant Multi-Factor Authentication (MFA) for all developer and administrator accounts on code repositories like GitHub and package registries like npm.
• Implement network egress filtering on all CI/CD build runners to only allow outbound connections to a pre-approved list of essential domains.
• Re-architect CI/CD pipelines to use dynamically generated, short-lived, and narrowly-scoped access tokens for authentication instead of static, long-lived credentials.
• Implement automated monitoring to generate security alerts for any new packages published to public registries under your organization's name or scopes.

 

---

APT24 Deploys BADAUDIO in Years-Long Espionage Hitting Taiwan and 1,000+ Domains

A China-nexus threat actor, APT24 (also known as Pitty Tiger), has been observed deploying a previously undocumented malware named BADAUDIO in a nearly three-year espionage campaign primarily targeting Taiwan, alongside government, healthcare, construction, mining, non-profit, and telecommunications sectors in the U.S. BADAUDIO, a highly obfuscated C++ first-stage downloader, utilizes control flow flattening to resist reverse engineering and leverages DLL Search Order Hijacking for execution. It gathers system information, exfiltrates it, and downloads AES-encrypted payloads, such as Cobalt Strike Beacon. Initial access vectors include watering holes, where over 20 legitimate websites were compromised from November 2022 to September 2025 to inject JavaScript that targeted Windows users with fake Google Chrome update pop-ups using FingerprintJS. A significant supply chain compromise occurred in July 2024 when APT24 breached a Taiwanese digital marketing firm, injecting malicious JavaScript into a widely used library, affecting over 1,000 domains. Targeted phishing campaigns, active since August 2024, use animal rescue lures and tracking pixels to deliver BADAUDIO via encrypted archives hosted on Google Drive and Microsoft OneDrive. Separately, another China-nexus threat actor, codenamed Autumn Dragon, has conducted a sustained espionage campaign against government, media, and news sectors in Laos, Cambodia, Singapore, the Philippines, and Indonesia. This campaign exploits a WinRAR vulnerability (CVE-2025-8088, CVSS 8.8) via spear-phishing with malicious RAR archives, leading to DLL sideloading using legitimate executables like `obs-browser-page.exe` and `Creative Cloud Helper.exe` to establish persistence, communicate via Telegram for reconnaissance, and deploy a C++ implant capable of executing various commands.

Severity: Critical

Sources

• https://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/
• https://securityonline.info/chinas-apt24-launches-stealth-badaudio-malware-hitting-1000-domains-via-taiwanese-supply-chain-hack/
• https://thehackernews.com/2025/11/apt24-deploys-badaudio-in-years-long.html
• https://www.hendryadrian.com/apt24s-pivot-to-multi-vector-attacks-google-cloud-blog/
• https://www.hendryadrian.com/beyond-the-watering-hole-apt24s-pivot-to-multi-vector-attacks/
• https://www.securitylab.ru/news/566430.php
• https://www.securityweek.com/chinese-cyberspies-deploy-badaudio-malware-via-supply-chain-attacks/

Threat Details and IOCs

Mitigation Advice

• Immediately patch all instances of WinRAR to version 7.13 or later to mitigate the actively exploited vulnerability CVE-2025-8088.
• Block the domain 'public.megadatacloud[.]com' at the network perimeter using your firewall, web proxy, or DNS filtering solution.
• Use your endpoint detection and response (EDR) tool to hunt for the legitimate executables 'obs-browser-page.exe' or 'Creative Cloud Helper.exe' loading malicious DLLs named 'libcef.dll' or 'CRClient.dll'.
• Configure endpoint detection rules to alert on legitimate applications loading DLLs from non-standard paths or user-writable directories to detect potential DLL Search Order Hijacking.
• Configure security controls to block or perform enhanced content inspection on encrypted archives downloaded from Google Drive.
• Configure security controls to block or perform enhanced content inspection on encrypted archives downloaded from Microsoft OneDrive.

Compliance Best Practices

• Develop and implement a continuous security awareness training program that educates users on identifying and reporting phishing attempts, especially those with suspicious attachments or links to cloud services.
• Establish a vendor risk management program to vet and continuously monitor the security posture of third-party suppliers, particularly those who provide code or services integrated into your company's websites.
• Deploy an application control solution, such as AppLocker or a third-party tool, to restrict software execution to only authorized applications, scripts, and DLLs.
• Implement a network egress filtering policy that denies all outbound traffic by default and only allows connections to known-good domains and ports required for business operations.
• Harden PowerShell across the environment by enabling Constrained Language Mode and forwarding all PowerShell script block and module logs to a centralized SIEM for analysis.
• Implement Subresource Integrity (SRI) on all corporate websites to ensure that third-party JavaScript libraries and other resources are not modified without authorization.

 

---

Chinese Hackers Exploiting WSUS Remote Code Execution Vulnerability to Deploy ShadowPad Malware

Chinese hackers are actively exploiting CVE-2025-59287, a critical remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), to deploy the ShadowPad backdoor malware. Microsoft issued a security advisory for this vulnerability on October 14, 2025, with public proof-of-concept exploits emerging on October 22, 2025. The attack initiates by exploiting the WSUS vulnerability to execute PowerCat, establishing a reverse shell to 154.17.26.41 on port 8080. Subsequently, on November 6, 2025, attackers utilized legitimate Windows utilities such as curl.exe and certutil.exe to install ShadowPad. This modular backdoor, associated with Chinese state-sponsored APT groups, employs DLL side-loading techniques involving components like ETDCtrlHelper.exe, ETDApix.dll, and 0C137A80.tmp, and establishes persistence through Windows Registry modifications, scheduled tasks, and service creation under the identifier "Q-X64." It communicates with command-and-control servers at 163.61.102.245 via HTTP/HTTPS on port 443, using Firefox user-agent strings and injecting into processes such as Windows Mail, Windows Media Player, and svchost.exe. Organizations must immediately apply the security update for CVE-2025-59287, audit WSUS server exposure to block inbound traffic on TCP ports 8530 and 8531 from non-Microsoft Update sources, and conduct threat hunting for suspicious PowerShell execution (specifically involving certutil.exe and curl.exe) and network connections to the identified C2 infrastructure.

Severity: Critical

Sources

• https://bluefire-redteam.com/cve-2025-59287-deep-dive-response-playbook-and-siem-edr-detection-recipes/
• https://buaq.net/go-371618.html
• https://buaq.net/go-373861.html
• https://buaq.net/go-375698.html
• https://cyberpress.org/cisa-alerts-on-active-exploitation-of-windows-server-update-services-rce-flaw/
• https://cyberpress.org/cisa-warns-wsus-vulnerability/
• https://cyberpress.org/hackers-exploit-wsus-vulnerability-to-steal-sensitive-organizational-data/
• https://cyberpress.org/microsofts-wsus-patch/
• https://cyberpress.org/shadowpad-malware/
• https://cyberpress.org/tcp-ports-8530-8531-wsus/
• https://cyberscoop.com/microsoft-windows-server-update-services-vulnerability-exploited-attacks/
• https://gbhackers.com/attackers-exploit-windows-server-update-services-flaw/
• https://gbhackers.com/cisa-alerts-on-of-wsus-vulnerability/
• https://gbhackers.com/hackers-actively-scanning-tcp-ports-8530-8531/
• https://gbhackers.com/microsofts-wsus-patch-causes-hotpatching-failures/
• https://gbhackers.com/wsus-vulnerability/
• https://hackread.com/hackers-exploit-wsus-skuld-stealer-microsoft-patch/
• https://horizon3.ai/attack-research/vulnerabilities/cve-2025-59287/
• https://hothardware.com/news/windows-server-update-service-is-under-attack
• https://isc.sans.edu/diary/rss/32440
• https://latesthackingnews.com/2025/10/28/microsoft-october-patch-tuesday-is-huge-with-170-fixes/
• https://meterpreter.org/windows-server-wsus-flaw-under-active-attack-cve-2025-59287-cvss-9-8-with-public-poc/
• https://orca.security/resources/blog/cve-2025-59287-critical-wsus-rce/
• https://securityboulevard.com/2025/10/critical-microsoft-wsus-security-flaw-is-being-actively-exploited/
• https://securityboulevard.com/2025/10/windows-server-update-service-wsus-remote-code-execution-vulnerability-cve-2025-59287/
• https://securityonline.info/critical-wsus-rce-cve-2025-59287-actively-exploited-to-deploy-shadowpad-backdoor/
• https://socprime.com/blog/cve-2025-59287-detection/
• https://thehackernews.com/2025/10/cisa-and-nsa-issue-urgent-guidance-to.html
• https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-advisory-critical-unauthenticated-rce-windows-server-update-services-cve-2025-59287
• https://www.bleepingcomputer.com/news/microsoft/microsoft-patch-for-wsus-flaw-disabled-windows-server-hotpatching/
• https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-windows-server-wsus-flaw-exploited-in-attacks/
• https://www.esecurityplanet.com/news/wsus-vulnerability/
• https://www.helpnetsecurity.com/2025/10/30/wsus-vulnerability-infostealer-cve-2025-59287/
• https://www.hendryadrian.com/analysis-of-shadowpad-attack-exploiting-wsus-remote-code-execution-vulnerability-cve-2025-59287/
• https://www.hendryadrian.com/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability-cve-2025-59287/
• https://www.hendryadrian.com/microsoft-wsus-remote-code-execution-cve-2025-59287-actively-exploited-in-the-wild/
• https://www.infosecurity-magazine.com/news/actively-exploited-wsus-bug-cisa/
• https://www.scworld.com/brief/attacks-involving-critical-wsus-vulnerability-under-investigation
• https://www.scworld.com/brief/dozens-impacted-by-active-wsus-vulnerability-abuse
• https://www.theregister.com/2025/10/27/microsoft_wsus_attacks_multiple_orgs/

Threat Details and IOCs

Mitigation Advice

• Immediately apply the security update for CVE-2025-59287 to all Windows Servers running the WSUS service.
• Create rules on the perimeter firewall to block all inbound and outbound traffic to IP addresses 154.17.26.41 and 163.61.102.245.
• Configure host-based and network firewalls to restrict inbound access to WSUS servers on TCP ports 8530 and 8531, allowing connections only from required Microsoft Update IP ranges.
• Use your EDR solution or other endpoint scanning tools to conduct a targeted search across all servers for the files `ETDApix.dll` and `0C137A80.tmp`.
• In your SIEM or EDR, search for executions of `curl.exe` or `certutil.exe` on WSUS servers that are followed by the creation of new executable files or services.
• Scan for any newly created scheduled tasks or system services on WSUS servers, paying special attention to any containing the identifier "Q-X64".

Compliance Best Practices

• Review and re-architect network segmentation to ensure critical internal infrastructure like WSUS servers are not directly accessible from the internet and are isolated from general user subnets.
• Develop and deploy advanced EDR and SIEM detection rules to alert on anomalous use of built-in Windows utilities (e.g., `powershell.exe`, `certutil.exe`, `curl.exe`), especially when initiated by web server processes like w3wp.exe.
• Plan and implement an application control solution, such as Windows Defender Application Control (WDAC), on critical servers to restrict executable and script execution to only known, authorized software.
• Formalize and resource a vulnerability management program that prioritizes patching based on threat intelligence and mandates strict SLAs for critical vulnerabilities on high-value assets.
• Implement TLS/SSL inspection on network egress points to enable detection of malicious C2 communications hiding within encrypted web traffic.

 

---

GlobalProtect VPN Portals Probed with 2.3 Million Scan Sessions

Malicious scanning activity targeting Palo Alto Networks GlobalProtect VPN login portals increased 40 times within 24 hours, starting November 14, 2025, signaling a coordinated campaign. Real-time intelligence company GreyNoise observed 2.3 million scan sessions between November 14 and 19, specifically probing the `*/global-protect/login.esp` URI, which is the web endpoint for VPN user authentication. This surge follows previous spikes reported by GreyNoise in April and October 2025, with the current activity linked to earlier campaigns through recurring TCP/JA4t fingerprints and shared Autonomous System Numbers (ASNs), primarily AS200373 (3xK Tech GmbH) with IPs largely from Germany and Canada, and AS208885 (Noyobzoda Faridduni Saidilhom). Login attempts are predominantly directed at the United States, Mexico, and Pakistan. GreyNoise highlights that these scanning spikes often precede the disclosure of new security flaws, a correlation particularly strong for Palo Alto Networks products, noting past incidents like the active exploitation of CVE-2025-0108 (chained with CVE-2025-0111 and CVE-2024-9474) in February and a data breach in September.

Severity: Critical

Sources

• https://cyberpress.org/2-3-million-attacks-hit-palo-alto-networks-globalprotect-vpn-portals/
• https://www.bleepingcomputer.com/news/security/globalprotect-vpn-portals-probed-with-23-million-scan-sessions/
• https://www.securitylab.ru/news/566393.php

Threat Details and IOCs

Mitigation Advice

• Verify that all Palo Alto Networks PAN-OS devices are patched against vulnerabilities CVE-2025-0108, CVE-2025-0111, and CVE-2024-9474.
• Query firewall, VPN, and web proxy logs for inbound connection attempts to the URI path containing '/global-protect/login.esp' to identify potential targeting.
• Implement firewall rules to block all inbound traffic from Autonomous System Numbers AS200373 and AS208885.

Compliance Best Practices

• Reconfigure network architecture to ensure the Palo Alto Networks GlobalProtect management interface is not exposed to the public internet and is only accessible from a trusted internal network segment.
• Configure SIEM or other log monitoring tools to establish a baseline for normal traffic to the GlobalProtect VPN portal and create alerts for significant deviations or anomalous increases in login attempts.
• Establish a comprehensive vulnerability management program that includes regular, authenticated scanning of all internet-facing infrastructure and defines service-level agreements (SLAs) for patching critical vulnerabilities.

 

---

Active Exploitation of Oracle Identity Manager CVE-2025-61757 Observed in September

Active exploitation attempts for CVE-2025-61757, an Oracle Identity Manager vulnerability, were observed between August 30th and September 9th, preceding Oracle's patch release on October 21st as part of their Critical Patch Update. This vulnerability, initially reported by Searchlight Cyber, enables authentication bypass and potential remote code execution by appending `;.wadl` to URLs, exemplified by `/iam/governance/applicationmanagement/templates;.wadl`. Logs indicate scans targeting `/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl` via POST requests containing a 556-byte payload. Multiple IP addresses (89.238.132.76, 185.245.82.81, 138.199.29.153) were involved, all using the consistent User Agent: `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36`. These same IP addresses were also noted scanning for CVE-2025-4581 (Liferay Portal), bug bounty targets, and Log4j exploits.

Severity: Critical

Sources

• https://buaq.net/go-377039.html
• https://isc.sans.edu/diary/rss/32506
• https://www.securityweek.com/critical-oracle-identity-manager-flaw-possibly-exploited-as-zero-day/

Threat Details and IOCs

Mitigation Advice

• Immediately apply the October Critical Patch Update to all Oracle Identity Manager instances to patch CVE-2025-61757.
• Add the IP addresses 89.238.132.76, 185.245.82.81, and 138.199.29.153 to your firewall's blocklist.
• Create a rule in your WAF or IDS/IPS to detect and block any HTTP requests containing the string ';.wadl' in the URL path.
• Query web server logs and SIEM data for requests containing ';.wadl' in the URL or matching the User-Agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36' to identify potential past or current malicious activity.

Compliance Best Practices

• Establish or enhance a formal vulnerability management program that includes regular scanning, risk assessment, and a defined service-level agreement (SLA) for applying critical security patches.
• Review and harden Web Application Firewall (WAF) policies to block anomalous URL patterns, such as the use of semicolons for path parameter manipulation, to provide a generic defense against similar authentication bypass techniques.
• Enhance logging capabilities for critical web applications to capture and retain full HTTP request bodies, especially for POST requests, to improve future incident response and forensic analysis.
• Implement network segmentation to isolate internet-facing application servers, like Oracle Identity Manager, from internal corporate and database networks to limit the blast radius of a potential compromise.

---