- A new supply chain attack compromised at least 187 NPM packages, targeting developer’s secrets in software projects
- The worm shai-hulud seeks to steal identification information, modify the packages and spread malware via github actions and npm tokens
- Researchers warn that the number of compromised packages should grow
At least 187 malicious NPM packages were discovered, part of another major supply chain attack against software developers.
Socket safety researchers, Stepscurity and Aikido have all detected an ongoing campaign, apparently orchestrated by the same group that targeted NX several weeks ago.
Similar to this campaign, in this one, the disbelievers were also after the developer’s secrets, in particular the connection identification information, the AWS, GCP keys and the Azure service identification information, the Github personal access tokens, the cloud metadata ending points or the NPM authentication tokens.
A lot
However, the attack methodology has evolved, noted the researchers.
“The scale, scope and impact of this attack are important,” they said. “The attackers use the same manual largely as the original attack, but have intensified their game.”
This time surrounds, the attackers Created a Worm, Called Shai-Hulud (A Nod to the Dune Worm), Which Not Only Steals Secrets and Publishes Them to Github Publicly (Using Tools Like Trufflehog and Queries on Cloud Metadata Endpoints), but Also Drops That Sends Secrets to an Attacker-Contacer-Controlled Webhook and Hides them in Logs, and Uses Stolen npm tokens to modify and republish each package that the maintainer controls, integrating the worm in each.
Among the compromise NPM packages are those of Crowdstrike cybersecurity experts, as well as others with millions of weekly downloads.
Crowdsstrike, alongside its side, did what it could to mitigate the risk and minimize damage.
“After detecting several packages of malware packages (NPM) in the Public NPM register, an open source third-party standard, we quickly deleted them and proactively turned our keys in public registers,” said a crowdssrike spokesperson, according to the register.
“These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected. We work with NPM and conducting an in-depth investigation.”
Currently, the number of packages affected by the attack is in 187, the researchers warned that the number will probably continue to increase. Some potentially compromised packages are currently awaiting validation.
Via The register
