malware npm
@postman/mcp-ui-client
discovered 2025-11-24@postman/mcp-ui-client is identified in the SafeDep analysis "Shai-Hulud 2.0 npm Supply Chain Attack Technical Analysis". Critical npm supply chain attack compromises zapier-sdk, @asyncapi, posthog, and @postman packages with self-replicating malware. Technical analysis reveals credential harvesting, GitHub Actions exploitation, and worm-like propagation affecting 25,000+ repositories. Includes IOCs, detection methods, and remediation steps.
Threat types
credential_stealer data_exfiltration worm persistence
Malicious versions
- 5.5.1
- 5.5.2
Campaigns
Indicators
Techniques
- ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1528 Steal Application Access Tokenuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1102 Web Serviceuses
- ttp T1546 Event Triggered Executionuses
- ttp T1021 Remote Servicesuses
- ttp T1098 Account Manipulationuses
- ttp T1027 Obfuscated Files or Informationuses
