How Tropico Security Uses Honeytokens to Identify Supply Chain Worm Activity
At Tropico Security, we have always been strong advocates of high-interaction honeypots. We love them because they let us study real attacker behavior, understand techniques in depth, and give defenders insights that traditional security tools simply cannot provide. High-interaction deception is part of our DNA.
But as much as we appreciate deep, behavior-rich honeypots, not every threat requires a fully interactive environment. Some attacks are faster, narrower, and more opportunistic. They focus on stealing secrets rather than exploring systems. The Shai Hulud 2.0 supply-chain worm is one of those cases.
Understanding Shai Hulud 2.0
Shai Hulud 2.0 is a malicious worm that spread through compromised npm packages. During installation, the packages ran hidden scripts that collected credentials from developer machines and CI/CD environments, including GitHub tokens, npm tokens, and cloud credentials. These stolen secrets were then exfiltrated to attacker-controlled repositories and used to compromise new environments in turn.
Because the activity happens during the npm preinstall phase, many victims never noticed anything unusual, allowing the worm to move silently between projects, teams, and organizations.
Why Honeytokens Are the Right Fit Here
Even though Tropico is best known for building high-interaction honeypots, we also recognize that some threats are best caught with lighter, low-interaction signals. Shai Hulud 2.0 does not explore networks or interact with systems in a way a honeypot could observe. Instead, it grabs credentials and immediately exfiltrates them.
For a threat like this, honeytokens are the perfect match.
Honeytokens are small pieces of decoy data that no legitimate user should ever touch. If malware collects and transmits one, it becomes a clear and immediate indicator of compromise. For detecting this worm, honeytokens offer:
- Direct visibility into credential harvesting
- High-fidelity alerts without noise
- Early detection before an attacker can pivot further
Low-interaction deception is the right tool for the job.
Tropico’s Honeytokens for Shai Hulud Detection
To help organizations defend against this specific exploit, we have created a dedicated set of honeytokens designed to detect the behavior associated with Shai Hulud 2.0. These include decoy GitHub tokens, cloud keys, and npm tokens crafted to signal the exact exfiltration patterns used by the malware.
They can be safely placed in CI pipelines, developer environments, configuration files, and anywhere an attacker might search for credentials. If they are ever used or tested, Tropico Security immediately alerts you, giving your team time to rotate real credentials, investigate, and contain the incident.
A Holiday Gift for the Community
We believe security is stronger when the community shares knowledge, tools, and defensive techniques. That is why we are releasing our Shai Hulud honeytoken pack for free to the community.
It will be made available around Christmas as a small thank-you to our supporters, early adopters, and everyone who has followed our work so far. The goal is simple: help the ecosystem respond quickly to supply-chain threats without requiring complex deployments or specialized infrastructure.
Get them here: https://form.typeform.com/to/KmWCF2bu
