- A new supply chain attack compromised at least 187 NPM packages targeting developer secrets across software projects
- Shai-Hulud Worm seems to steal the credentials of credentials, change packages and spread malware through github actions and the NPM tokens
- Researchers warn the number of compromised packages are likely to grow
At least 187 malicious NPM packages have been uncovered, part of another large supply chain attack against software developers.
Security researchers from Socket, StepSecurity and Aikido all discovered a running campaign, apparently orchestrated by the same group that targeted NX several weeks ago.
Similar to this campaign, this miscreatrean was also according to developer secrets, including login -credentials, AWS keys, GCP and Azure Service -Legitimation information, GitHub Personal Access Tokens, Cloud Metadata Endpoints or NPM Authentication tokens.
Many affected
However, the methodology of attack developed, the researchers noted.
“The scope, extent and effect of this attack is significant,” they explained. “The attackers use the same playbook in large parts as the original attack, but have intensified their game.”
This Time Around, The Attackers Created A Worm, Called Shai-Hulud (A Nod To The Dune Worm), Which Not Only Steals and Publishes Them to GitHub Publicly (Using Tools Like Trufflehog and Queries On Cloud Metadata Endpoints), But Also Drops Sends Secrets to an Attacker-Controlled Webhook and Hides Them in Logs, and Uses Chair NPM tokens to change and reissue each package that the maintenance controls initiates the worm in each one.
Among the compromised NPM packages are those from cybersecurity experts crowdstrike as well as others with millions of weekly downloads.
Crowdstrike did what it could to mitigate the risk and minimize the injury.
“After the detection of multiple Oldicios Node Package Manager (NPM) packages in the public NPM registry, a third-party open source archive, we quickly removed them and rotated proactively our keys in public records,” a crowdstrike spokesman said, reports the registry.
“These packages are not used in the Falcon sensor, the platform is not affected and customers remain protected. We work with NPM and do a thorough examination.”
Currently, the number of packages affected by the attack is sitting at 187, the researchers warned that the number is likely to continue to rise. Some potentially compromised packages are currently awaiting validation.
Via Registered
