Shai-Hulud Malware Attack Infects 500 npm Packages and Leaks Developer Secrets on GitHub

[johny899]

I found something really interesting post today on BleepingComputer. There is a new malware called Shai-Hulud that has infected over 500 npm packages and even published developers' private information on GitHub. Pretty scary, right?

What's Happening?​

Hackers gained access to several accounts of npm package maintainers and added malicious code to many packages. So when someone installs those packages, the malware automatically runs.

Once the malware is activated, it collects sensitive information such as:

• GitHub Tokens
• npm Tokens
• Cloud Keys (AWS, Google Cloud, Azure)

After collecting the information, the malware uploads it to GitHub as new public repositories where anyone can view it.

How It Works​

Shai-Hulud operates like a worm, which means it will continue to spread itself.

Once Shai-Hulud infects one package, it will attempt to infect every other package that belongs to the same developer.

It also has the following features:

• A tool called TruffleHog to help find secrets
• The ability to embed its code into large files so it will not be easily detected
• A file where stolen secrets are stored, environment.json
• The last point is particularly bad news; if the bot is unable to steal your token, it may try to remove your home directory.

This last point is particularly concerning as there could be significant ramifications from this attack.

Scale of the attack​

This attack is on an enormous scale. To date:

• The original attack began with 187 packages that were infected, but it has since expanded to over 500 packages.
• Approximately 350 developer accounts were affected by this attack.
• A large number of GitHub repositories were created solely for the purpose of distributing secrets (tens of thousands).
• Additionally, CISA has reported that cloud access keys were also stolen from users.

In conclusion, this is the worst npm attack we have seen thus far.

Things to Do Immediately​

If you have been using npm packages, follow these steps:

• Review your package dependencies for infected versions
• Reissue all token (GitHub, npm, Cloud) credentials
• Implement two-factor authentication on your accounts
• Disable CI/CD install scripts if you can

By completing these actions, you can help ensure that you do not fall victim to a supply chain attack.

My Concern​

When I first heard about this, I felt devastated because npm was such a convenient tool and I have always put my faith in third-party packages—and that made me very naive about the vulnerability of the supply chain.

In Summary​

Shai-Hulud demonstrates how easily supply-chain attacks can occur today. If you are using npm, review all of your npm accounts and packages, rotate your tokens and credentials, and take all necessary precautions to protect your information.