name: Mini Shai-Hulud C2 and Exfiltration Infrastructure Connection Analytic
category: 'Command and Control'
threatname: 'Exfiltration Over Web Service'
functionality: 'Web Proxy'
description: |
Detects outbound connections to infrastructure used by the Mini Shai-Hulud npm worm
(TeamPCP) for C2 communication and credential exfiltration. The worm uses a dual-channel
exfiltration architecture for redundancy:
Channel 1 - Session Protocol CDN: Stolen credentials encrypted with RSA-4096-OAEP
wrapped AES-256-GCM are uploaded to filev2.getsession.org. The worm hardcodes a TLS
cert pin for seed1.getsession.org. Session Protocol is a legitimate privacy messaging
service — most enterprises have no legitimate traffic to this domain, but validate
against your approved application inventory before deploying the session selector
without a filter allowlist.
Channel 2 - GitHub GraphQL dead-drop: Encrypted data committed to attacker-controlled
repos via api.github.com using stolen tokens. Not detectable here as github.com
cannot be blocked; detect instead via SCM audit on commits authored by
claude@users.noreply.github.com on branches matching
dependabot/github_actions/format/{dune-word}.
git-tanstack.com and api.masscan.cloud are purpose-built malicious domains — these
selectors carry zero FP risk and should fire as Critical.
DEPLOYMENT SCOPE: Corporate web proxy covering developer workstation and self-hosted
runner network egress. This is the only rule in this set with potential visibility into
GitHub managed runner activity — but only if your organization routes GitHub Actions
outbound traffic through a corporate proxy. Most organizations do not configure this,
so assume coverage of managed runners is absent unless your network architecture
confirms otherwise. For self-hosted runners whose traffic traverses your corporate proxy,
this rule provides real-time exfiltration detection at the network layer regardless of
whether endpoint telemetry is available on the runner itself.
reference:
- https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
- https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
labels:
- attack.exfiltration
- attack.t1567
- attack.t1567.001
- attack.command_and_control
- attack.t1102
- Mini_Shai_Hulud
- TeamPCP
- Supply_Chain
- TanStack
logsource:
product: Web Proxy
category: proxy
detection:
selection_dedicated_c2:
DomainName|contains:
- 'git-tanstack.com'
- 'api.masscan.cloud'
selection_session_exfil:
DomainName|contains:
- 'filev2.getsession.org'
- 'seed1.getsession.org'
condition: selection_dedicated_c2 or selection_session_exfil
criticality: High
saveasthreat: false
violation_summary:
grouping_attribute: 'accountname'
level2_attribute: 'sourceaddress'
level2_metadata_attributes:TECHNICAL DETAILS
DEPLOYMENT SCOPE
----------------
Target systems: Corporate web proxy covering workstation and self-hosted runner egress
Managed runners: Coverage POSSIBLE but NOT GUARANTEED. Only applies if GitHub Actions
outbound traffic is routed through your corporate proxy. Verify your
GitHub Actions network configuration before assuming managed runner
coverage. Most organizations do not have this configured.
Priority target: Self-hosted CI runners. If the worm executes on a self-hosted runner
and its traffic traverses the corporate proxy, this rule catches the
exfiltration in real time at the network layer — even if no endpoint
telemetry is available on the runner itself.
Criticality: Consider splitting into two rules — selection_dedicated_c2 at Critical
(zero legitimate use) and selection_session_exfil at High (repurposed
legitimate infrastructure with environment-dependent FP risk).
C2 INFRASTRUCTURE DETAILS
-------------------------
Dedicated malicious domains (zero legitimate use, no filter needed):
git-tanstack.com — primary C2 observed in StepSecurity runtime analysis
(Bun process contacted during npm install execution)
api.masscan.cloud — GHA injected workflow exfil endpoint
POST /v2/upload receives all repo secrets via toJSON(secrets)
Repurposed legitimate infrastructure (requires filter_approved_session):
filev2.getsession.org — Session Protocol open-group file CDN
POST /file receives RSA-4096-OAEP/AES-256-GCM ciphertext
Response: {"id": "<file_id>"}
seed1.getsession.org — TLS cert pin anchor hardcoded in worm payload
Cert: Oxen Privacy Tech Foundation, Melbourne AU
Valid until 2033
GitHub GraphQL dead-drop (not blockable at proxy — detect via SCM audit):
Endpoint: https://api.github.com/graphql
Mutation: createCommitOnBranch
Commit author: claude@users.noreply.github.com
Commit message: chore: update dependencies
Branch pattern: dependabot/github_actions/format/{dune-word}
Marker repos: siridar-ghola-567, tleilaxu-ornithopter-43
DNS blocking note: getsession.org uses a distributed node network.
IP-based blocking is unreliable and will be bypassed as nodes rotate.
DNS-level blocking of *.getsession.org at your resolver is the correct control.
FP Guidance:
git-tanstack.com, api.masscan.cloud: zero FP expected in any environment
filev2.getsession.org: low FP in enterprise; moderate FP in developer
environments where engineers use Signal or Session as a messaging app
Policy building walkthrough can be found in this previous post: