Shai-Hulud NPM Worm, IDA 9.2 Changes and PromptLock LLM Ransomware Analysis (Stream - 16/09/2025)

In this stream we analyze the Shai-Hulud NPM worm that performs automated replication to remote NPM repositories and steals a large number of secrets and tokens. We also look at the 9.2 changes to IDA Pro, and use the updated Golang changed to analyze the PromptLock ransomware that uses remote LLMs to generate Lua ransomware code on the fly that is executed by an interpreter.

Learn how to reverse engineer malware: https://training.invokere.com/
Stream code, binaries and databases available with Premium: https://training.invokere.com/course/...
Merch: https://shop.invokere.com/
Twitch:   / invokereversing  
Twitter:   / invokereversing  
BlueSky: https://bsky.app/profile/invokerevers...
Mastodon: https://infosec.exchange/@invokerever...

00:00 Overview of Shai-Hulud NPM Compromise
03:35 Shai-Hulud NPM Analysis
05:38 Starting Reversing Question
07:01 Shai-Hulud Analysis Continued
10:28 Raid Tangent
13:06 TruffleHog Functionality
14:09 Background Question
14:54 Analysis Continued
15:53 Embedded Bash Analysis
19:34 JS Payload Analysis Continued
27:47 NPM Worm Functionality
29:21 Secret Extraction
31:41 IDA 9.2 Changes
35:52 • PromptLock Analysis
39:24 Raid Tangent
40:25 • PromptLock Analysis Continued
41:21 • pcintab Stripping Testing in IDA
43:13 Answering Chat Questions
45:53 • PromptLock Analysis Continued
49:04 PromptLock Analysis Continued
01:06:53 Wrapping Up