5 hours ago
8
It's a bad time to be a JavaScript developer, after Koi Security revealed yesterday that it is tracking "the largest and most dangerous npm supply-chain compromise in history."
The security firm said the Shai-Hulud malware campaign "has now impacted hundreds of packages across multiple maintainers," including "popular libraries such as @ctrl/tinycolor as well as packages maintained by CrowdStrike." (Emphasis theirs.) And the problem is probably going to get worse before it gets better, because the malware in question is a worm that autonomously spreads from package to package.
"Attackers published malicious versions of @ctrl/tinycolor and other npm packages, injecting a large obfuscated script (bundle.js) that executes automatically during installation," Koi Security said in the blog post revealing this campaign. "This payload repackages and republishes maintainer projects, enabling the malware to spread laterally across related packages without direct developer involvement."
To be clear: This campaign is distinct from the incident that we covered on Sept. 9, which saw multiple npm packages with billions of weekly downloads compromised in a bid to steal cryptocurrency. The ecosystem is the same — attackers have clearly realized the GitHub-owned npm package registry for the Node.js ecosystem is a valuable target—but whoever's behind the Shai-Hulud campaign is after more than just some Bitcoin.
"The injected script performs credential harvesting and persistence operations," Koi Security said. "It runs TruffleHog to scan local filesystems and repositories for secrets, including npm tokens, GitHub credentials, and cloud access keys for [Amazon Web Services], [Google Cloud Platform], and Azure. It also writes a hidden GitHub Actions workflow file (.github/workflows/shai-hulud-workflow.yml) that exfiltrates secrets during CI/CD runs, ensuring long-term access even after the initial infection. This dual focus on endpoint secret theft and backdoors makes Shai-Hulud one of the most dangerous campaigns ever compared to previous compromises."
That might be confusing to anyone who doesn't have to worry about developing and distributing Node.js software. But the long and short of it is that Shai-Hulud is using a well-known offensive security tool (TruffleHog) alongside developer tooling (GitHub Actions) in an environment that is designed specifically to help distribute software without much developer involvement (npm).
We suggested in our previous report that whoever compromised the npm packages to steal cryptocurrency did us a favor, because they could have used their access to those packages to accomplish far worse attacks. Now it seems that someone is looking to do just that — and it's hard to feign surprise when the Node.js ecosystem and the tooling built around it were practically built to enable widespread attacks like this.
Koi Security is updating its blog post with a list of npm packages known to have been compromised via the Shai-Hulud campaign. StepSecurity has also published indicators of compromise alongside a technical breakdown of how the malware spreads, what it does, and how organizations should respond if they discover that a compromised package has been used somewhere in their infrastructure.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button!
English (US) ·