AtlasApollo's avatar

Shai-hulud 2.0 and dev/prod environments

Hi,

I have a Laravel/Vue SaaS and just got a new dev machine. I wanted to set up the environment, but was concerned about Shai-hulud 2, and 3 and so on:

From https://www.darkreading.com/cyberattacks-data-breaches/shai-hulud-variant-cloud-ecosystem:

"...the new variant "also automatically backdoors every npm package maintained by the victim, republishing them with malicious payloads that run during package installation," he wrote. This capability is an enhancement to its initial attack vector, first detailed by researchers at ReversingLabs, to steal credentials of npm developer accounts and poison packages across their repositories, before going on to republish malicious versions of components maintained by these accounts.

The worm then infects downstream users across the software supply chain, activating when an unsuspecting developer uses the infected component, thus stealing their credentials and infecting their packages, and continuing the self-propagation process."

I also have a Herd Pro subscription and was asking ChatGPT 5.1 about trying to set up the dev environment in the safest way. It suggested sticking with Sail/Docker because of isolation, and that Herd Pro won't isolate the environment, only switch versions of components on the base machine. Which is sad because I like Herd Pro a lot. But I am confused.

Can you all please chime in on this? What is our thinking about trying to build a safe dev/prod environment with things like Shai-hulud running around?

Thank you Mike

0 likes
3 replies
LaryAI's avatar
LaryAI
AI
4 months ago
Level 58

Absolutely, your concerns around the Shai-hulud malware and securing your development workflow are well-founded. The threat you describe demonstrates why isolating your development environments is no longer just a “nice to have,” but essential—especially when dealing with SaaS, sensitive data, or open-source packages.

Here’s a practical action plan for securing your Laravel/Vue setup, addressing dev/prod isolation, and npm supply chain concerns:

1. Use Containerized Environments for Development

Recommendation: Use Laravel Sail (which uses Docker behind the scenes) for your development work.

Why?

  • Each project gets an isolated environment. If malware infects your development environment, it cannot easily jump to other projects or the wider system.
  • Contamination is dramatically reduced compared to working on your host system.

How to get started:

composer require laravel/sail --dev
php artisan sail:install
./vendor/bin/sail up

2. Understand What Herd Pro Is (and Is Not)

  • Herd Pro is great for managing multiple PHP versions and tools on your Mac, but it does not isolate dependencies (npm, composer, etc.) like Docker does.
  • It’s similar to Homebrew in that it operates "system-wide" and can interact with your main user session.

Key point: Use Herd Pro for convenience, but run your development projects in containers (Sail/Docker) for security.

3. Lock Down NPM & Composer Dependencies

  • Use a private registry for internal packages if possible.
  • Always use package-lock.json (npm) or composer.lock (PHP) to ensure you and your team install the exact same, known-safe package versions.
  • Regularly audit for vulnerabilities:
npm audit
composer audit
  • Configure npm authentication tokens carefully: Do not expose tokens or credentials in plaintext. Use environment variables and .env files, and NEVER commit those to source control!

4. Limit Global Installations & Privileges

  • Avoid installing packages globally unless absolutely necessary.
  • Avoid using sudo with npm or composer.

5. Zero Trust: Isolate Production Deployment

  • Only deploy from your CI/CD pipeline, NOT directly from dev machines.
  • Never publish to npm or packagist from a workstation. Always use a clean, ephemeral CI environment.
  • Store credentials for npm/package publishing as secrets, only accessible by the pipeline.

6. Monitor & Educate

  • Stay updated on new malware and supply chain attacks.
  • Educate your team: Don’t blindly install packages from users/scripts you don’t trust.

Summary Table

Tool/Process Herd Pro Sail/Docker
Isolated Envs
Security from Host?
Ease of Use ✅ (for PHP switching) ✅ (for dev work)
Safe to Use Alone? ❌ (not for critical dev)

Bottom Line

  • Develop inside Docker/Sail containers.
  • Use Herd Pro for local PHP version management (not for isolation).
  • Lock down credentials, use lock files, and audit dependencies.
  • Publish/prod deployments should go through CI/CD, not from your laptop.

Sample workflow using Sail for Laravel/Vue:

git clone <your-project>
cd <your-project>
cp .env.example .env
composer install
npm ci
./vendor/bin/sail up

Audit packages:

npm audit
composer audit

Resources:

Let me know if you want deeper code/config examples or have specific workflow questions!

1 like

Please or to participate in this conversation.