The September Shai-Hulud incident demonstrated that NPM could be used as a high-throughput propagation layer for self-replicating malware. A second wave of related activity observed in November showed that the adversary had adapted. The focus shifted from browser-centric payloads toward CI-adjacent execution, broader credential harvesting and more resilient exfiltration channels. While the exact indicators of compromise varied across reports, the technical patterns were consistent enough to treat the November activity as a continuation of the same underlying threat model.

Evolving Objectives and Faster Propagation

As in the earlier wave, the November activity began with maintainer credential compromise. Attackers used a mix of phishing and previously stolen tokens to regain control of NPM accounts. This time, their target selection expanded beyond highly visible maintainers to include owners of lower-profile transitive dependencies that form dense connective tissue within the dependency graph. These nodes may not have high individual visibility but compromising them increases downstream reach.

The result was faster movement from initial access to wide distribution. Hundreds of packages were updated in short windows, often using minor version increments that appeared routine. Behind these innocuous version bumps were payloads that were more modular, more deeply concealed and engineered for CI environments rather than end-user systems.

The shift in objectives is important. The September variant was primarily concerned with browser wallet interception. The November wave focused instead on gaining footholds in CI and build environments. It inspected metadata, build logs, container runtime details and credentials for cloud services or artifact registries. In some documented cases, it attempted to register new CI runners or modify automation workflows, creating persistent and less obvious control points inside build systems. This redirected the risk from end-user compromise to direct compromise of the software delivery pipeline.

How the November Activity Unfolded

Although the payloads evolved, the sequence of behaviors remained consistent across affected packages.

Entry through compromised maintainers.

Attackers reused recovered tokens or conducted new phishing operations to obtain publish rights. They retrieved legitimate tarballs, introduced install-time logic and repackaged the result as new versions.

Install-time execution.

The injected logic executed during the pre-install or post-install phase. Instead of targeting browser environments, it evaluated whether it was running in a CI or build context by probing environment variables, filesystem paths and metadata services exposed by orchestrators.

Environment and credential access.

Inside CI, the payload enumerated build metadata, cloud credentials, secret stores and registry tokens. It attempted to identify credentials that allowed writes to source repositories or registries, enabling lateral movement.

Establishing persistence in automation systems.

Several samples attempted to register new runners or modify existing workflows. These changes often triggered on less common events, allowing attacker-controlled logic to run under CI privileges while appearing operationally benign.

Propagation through rapid version updates.

Compromised maintainer accounts published bursts of new versions across many packages. These publishes were tightly clustered, often lacked corresponding commits or tags in source repositories and frequently occurred outside historical working hours for those maintainers.

Exfiltration and fallback behavior.

The November activity expanded exfiltration mechanisms beyond Git repositories to include object storage buckets and webhook endpoints. This increased resiliency and reduced dependence on any single destination.

Why Signature-Based Detection Became Less Effective

The November variant deliberately reduced the presence of wallet-specific patterns that had assisted earlier detection. Instead, it emphasized generic automation logic and cloud-adjacent APIs common in CI environments.

This created several challenges:

• Fewer domain-specific indicators.
  Earlier heuristics relied on wallet API usage. These no longer appeared.

• Heavier obfuscation.
  Payloads became more modular, and dynamic loading increased.

• Overlap with legitimate automation.
  Scripts interacting with CI metadata and registry credentials resemble behavior from legitimate tools, blurring the distinction between benign and malicious activity.

As a result, detection approaches that depend on specific signatures or domain-specific logic became less reliable. More durable detection methods centered on behavioral invariants.

Durable Invariants Across the November Activity

Certain high-level patterns remained consistent, even as payload details changed. These invariants are more difficult for attackers to conceal and more useful for defenders.

Registry–source divergence.

Many malicious publishes lacked corresponding commits or tags in their source repositories or diverged significantly from expected commit history. This remained a strong indicator of compromise.

Deviations in maintainer behavior.

Compromised maintainers showed publish bursts far above their baseline. Updates occurred across numerous packages within minutes, and activity often fell outside typical working hours. These behavioral anomalies remained consistent even as payloads evolved.

Structural changes in code.

Four-line patches or minor revision bumps contained significant shifts in complexity, such as new dynamic execution paths, environment probing or loaded configuration modules. These changes were disproportionate relative to the nominal version increments.

Install-time behaviors in CI.

Scripts accessed CI metadata, probed service endpoints or attempted runner registration. Such actions are atypical for most package installs.

Network and exfiltration behavior.

Payloads attempted outbound communication to previously unseen endpoints during installation. While the endpoints varied, the pattern of unexpected network activity persisted.

These invariants remained robust against attacker adaptation.

Signal Fusion and Detection Logic

No single signal reliably identifies this activity. Effective detection requires combining independent layers:

• Registry diffs identify candidate packages through unusual churn or localized complex diffs.
• Maintainer behavior baselines elevate accounts that exhibit high-variance activity.
• Code structure analysis flags disproportionate complexity changes in simple modules.
• Install-time monitoring in CI confirms unexpected behavior without requiring prior knowledge of specific payloads.
• Network behavior identifies exfiltration and lateral movement activity.
• Cross-environment correlation establishes links between packages and maintainers affected by the same underlying technique.

This multi-layer approach is resilient even when attackers remove earlier detectable patterns.

Architectural Implications

The November activity reinforces that early detection must be properties-based rather than signature-based. Attackers can rapidly change payload details, but they cannot fully conceal structural signals such as registry–source mismatch, abnormal maintainer activity and install-time actions that violate established norms.

Treating package ingestion, build execution and CI configuration as interconnected surfaces is now essential. Traditional boundaries separating these components are no longer aligned with how adversaries operate. The November wave demonstrated how quickly an attacker can move from a compromised maintainer token to a persistent foothold inside CI infrastructure.

Closing Perspective

As attackers shift from user-centric payloads to CI-centric persistence, defenders must adapt detection methods accordingly. Structural invariants offer a stable foundation even when specific signatures lose relevance. CleanStart’s modeling across code, maintainers, registries and CI systems provides a practical mechanism for identifying these invariants at scale, enabling early detection and containment as adversaries continue to iterate.