Over 300 npm packages compromised by self-replicating worm

Software, Cloud and Development Web, Apps & Cloud
1

Over 300 npm packages compromised by self-replicating worm

1000160331
10001603311280×720 9.98 KB

Recently, there were reports of the tinycolor npm package, which is a widely used color manipulation library, being compromised as part of an attack affecting over 40 packages. This was already a significant incident given the package’s two million weekly downloads. Now, researchers at Socket have announced that the self-propagating worm has infected over 300 packages on npm.

The attackers were able to spread the malware using a function called NpmModule.updatePackage that was injected into the compromised libraries. The function automated the infection process by first downloading the package tarball of a new target.

It would then modify the package.json file, inject a malicious bundle.js script, repackage the archive, and republish it to the npm registry using a stolen token. The worm looks for env variables like NPM_TOKEN, which allows it to find credentials to continue spreading to other packages maintained by the compromised account.

According to Socket, the CrowdStrike npm account was also compromised, with several of its packages getting infected by the malware. The security firm has since removed the packages and rotated its credentials.

This whole campaign has been dubbed Shai-Hulud, a clear nod to the giant sandworms from the sci fi novel Dune, based on workflow files named shai-hulud.yaml found in the malware. The attack payload is pretty sophisticated, using TruffleHog, a legitimate tool for secret scanning, to find and validate credentials before exfiltrating them to a webhook.

The full list of (known) affected packages is too long to include here, but some of the most popular ones include:

  • @ctrl/tinycolor
  • ngx-toastr
  • @crowdstrike/glide-core
  • angulartics2
  • eslint-config-crowdstrike
  • @nativescript-community/ui-collectionview

If you’re compromised, you should immediately address the issue. You can completely uninstall the malicious packages from your projects using the command below:

npm uninstall

You can also pin your dependencies to a known good version until a patched release is available.

Since this worm actively hunts for and exfiltrates secrets, it’s definitely a good idea to rotate any and all credentials exposed on your system. This includes NPM tokens, GitHub personal access tokens, and Actions secrets, SSH keys, and any cloud credentials for AWS, Google Cloud, or Azure. You should also cycle API keys, database connection strings, and any secrets stored in services like AWS Secrets Manager.

Source: https://www.neowin.net/news/over-300-npm-packages-compromised-by-self-replicating-worm/

1 Like