Threat Analysis: Shai-Hulud Supply Chain Campaign and The Gentleman Ransomware, What UK SMBs Need to Know

Threats & Attacks

Threat Analysis: Shai-Hulud Supply Chain Campaign and The Gentleman Ransomware, What UK SMBs Need to Know

By Mauven MacLeod ·

Hello, Mauven here.

This is your Daily Threat Analysis for 12th May 2026.

Two campaigns in today’s feed warrant your attention. One is a supply chain attack that moved at a speed most defenders cannot match. The other is a ransomware chain that demonstrates how attackers are actively engineering around the defences that organisations have actually deployed. Both of them have SMB exposure, not necessarily direct, but through the IT providers and developer tooling that smaller businesses depend on.

Story One: Shai-Hulud, Signed Packages, Six Minutes, 84 Malicious Versions

The Shai-Hulud campaign, reported this morning by both BleepingComputer and The Register, involved attackers compromising the npm package ecosystem to push malicious versions of widely-used developer packages, including TanStack and Mistral libraries. The attack window was six minutes. In that time, 84 malicious package versions were published.

The detail that matters is this: the packages were signed. They passed the kind of integrity checks that security-conscious development teams rely on as a first line of defence. The malicious versions contained credential-stealing code and, separately, disk-wiping capability.

The Register’s description, “cache-poisoning”, points to the mechanism. Attackers did not need to compromise the package authors directly. They manipulated the distribution chain, ensuring that developers pulling packages through standard tooling received the malicious versions instead of the legitimate ones.

What the headlines are not saying

This is not primarily an enterprise story, even though the coverage will frame it that way. The UK SMB sector has a significant population of businesses that either employ developers internally or rely on managed service providers and web development agencies that use exactly these package ecosystems. If your business has a website built on a modern JavaScript framework, if you have custom internal tooling, or if your IT provider builds and maintains software on your behalf, you are in the exposure chain.

You are probably not the intended target. That distinction offers limited comfort when credential-stealing malware lands on a developer’s machine that has access to your systems.

The NCSC has published guidance on software supply chain security. The fact that campaigns like this continue to succeed through signed-package compromise tells you how far implementation lags behind the advisory.

What to ask your IT provider or developers today

  • Do you have software composition analysis (SCA) in your build pipeline? SCA tooling checks dependencies against known-vulnerable and known-malicious packages before they are incorporated into builds.
  • How quickly would you know if a dependency you rely on had been compromised? Not after a vendor advisory, in real time.
  • Are developer machines that have access to production environments treated as high-risk endpoints? They should be.

If the answer to any of these is a variation of “we rely on the package authors to keep things clean,” you have a gap.

Story Two: The Gentleman Ransomware, Blockchain C2 and a Fake Sysinternals Tool

The DFIR Report published a flash alert yesterday covering an April 2026 intrusion that ended in The Gentleman ransomware deployment. The attack chain is worth examining in detail because it reflects deliberate engineering around common defensive measures.

The initial access vector was a malicious MSI installer disguised as a Sysinternals tool, the legitimate Microsoft diagnostic utilities that IT administrators use routinely. This is not a novel lure, but it remains effective precisely because Sysinternals tools are trusted by the people most likely to run them: IT staff with elevated privileges.

The malware itself, EtherRAT, used a technique called EtherHiding to retrieve its command-and-control configuration dynamically from the Ethereum blockchain. The practical implication: the C2 IP address was never hard-coded and never static. Blocklists based on known-malicious IP addresses or domains would not have caught it. The malware queries the blockchain, retrieves the current configuration, and connects accordingly.

Following the EtherRAT stage, attackers deployed TukTuk, a secondary malware framework loaded via DLL sideloading using a legitimate application. The DFIR Report notes Kerberoasting and credential harvesting activity, standard lateral movement for a ransomware precursor, before The Gentleman ransomware was deployed.

What this means operationally

The use of blockchain-based C2 is not new as a concept, researchers have documented it for several years. What this incident confirms is active operational deployment against real targets in 2026. Your endpoint detection and response tooling needs to be evaluated not just on whether it detects known-malicious IPs, but on whether it detects the behaviour: unusual outbound blockchain queries, DLL sideloading from unexpected paths, credential harvesting activity.

The initial lure, a fake Sysinternals tool, is a direct warning for SMBs that rely on a single IT person or a small MSP. When a trusted internal tool appears to be available from a new source, the person with the most access is often the least likely to question it.

The Kerberoasting detail is worth noting specifically. Kerberoasting is an Active Directory attack technique. If your business runs Windows infrastructure managed by an MSP, and that MSP has not reviewed your Active Directory service account configuration recently, ask them when they last did. Accounts with weak or old passwords and broad permissions are the fuel for this kind of lateral movement.

The Wider Pattern

Cisco Talos published analysis today on responding to state-sponsored intrusions versus ransomware, and one observation applies directly here: the gap between detection and response matters more than the sophistication of the initial intrusion. Both campaigns above are designed to extend dwell time, Shai-Hulud through trusted distribution channels, The Gentleman chain through blockchain-obfuscated C2 that avoids triggering signature-based defences.

For UK SMBs, the realistic concern is not that you are a named target of either campaign. It is that the credential theft, the developer machine compromise, or the ransomware precursor activity arrives through a supplier or service provider that you trusted implicitly and audited not at all.

That is the supply chain risk the advisories describe in general terms. This is what it looks like in practice.

Actions for Today

  1. If you have developers or use development agencies: Ask specifically about SCA tooling and how quickly they would detect a compromised dependency.
  2. If you run Windows infrastructure: Ask your IT provider when they last reviewed Active Directory service account permissions and password ages.
  3. If your IT staff use diagnostic tools: Confirm those tools are downloaded only from verified official sources. A policy of “only install from the vendor’s official site” is worth making explicit.
  4. Check your EDR coverage: If you have endpoint detection and response tooling, verify it covers behavioural detection, not just signature matching, and that it includes monitoring for DLL sideloading and unusual process behaviour.

Sources

SourceTitleURL
BleepingComputerShai Hulud attack ships signed malicious TanStack, Mistral npm packageshttps://www.bleepingcomputer.com/news/security/shai-hulud-attack-ships-signed-malicious-tanstack-mistral-npm-packages/
The RegisterCache-poisoning caper turns TanStack npm packages toxichttps://www.theregister.com/cyber-crime/2026/05/12/cache-poisoning-caper-turns-tanstack-npm-packages-toxic/5238650
The DFIR ReportFlash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomwarehttps://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/
AlienVault OTXEtherRat and TukTuk C2 End in The Gentleman Ransomware, threat pulsehttps://otx.alienvault.com
Cisco TalosState-sponsored actors, better known as the friends you don’t wanthttps://blog.talosintelligence.com/state-sponsored-actors-better-known-as-the-friends-you-dont-want/

Filed under

  • supply-chain-risk
  • smb-security
  • uk-business
  • ransomware-groups
  • credential-theft
  • vendor-risk
  • incident-response