Over 300 npm packages compromised by self-replicating worm

10001603311280×720 9.98 KB

Recently, there were reports of the tinycolor npm package, which is a widely used color manipulation library, being compromised as part of an attack affecting over 40 packages. This was already a significant incident given the package’s two million weekly downloads. Now, researchers at Socket have announced that the self-propagating worm has infected over 300 packages on npm.

The attackers were able to spread the malware using a function called NpmModule.updatePackage that was injected into the compromised libraries. The function automated the infection process by first downloading the package tarball of a new target.

It would then modify the package.json file, inject a malicious bundle.js script, repackage the archive, and republish it to the npm registry using a stolen token. The worm looks for env variables like NPM_TOKEN, which allows it to find credentials to continue spreading to other packages maintained by the compromised account.

According to Socket, the CrowdStrike npm account was also compromised, with several of its packages getting infected by the malware. The security firm has since removed the packages and rotated its credentials.

This whole campaign has been dubbed Shai-Hulud, a clear nod to the giant sandworms from the sci fi novel Dune, based on workflow files named shai-hulud.yaml found in the malware. The attack payload is pretty sophisticated, using TruffleHog, a legitimate tool for secret scanning, to find and validate credentials before exfiltrating them to a webhook.

The full list of (known) affected packages is too long to include here, but some of the most popular ones include:

• @ctrl/tinycolor
• ngx-toastr
• @crowdstrike/glide-core
• angulartics2
• eslint-config-crowdstrike
• @nativescript-community/ui-collectionview

If you’re compromised, you should immediately address the issue. You can completely uninstall the malicious packages from your projects using the command below:

npm uninstall 

You can also pin your dependencies to a known good version until a patched release is available.

Since this worm actively hunts for and exfiltrates secrets, it’s definitely a good idea to rotate any and all credentials exposed on your system. This includes NPM tokens, GitHub personal access tokens, and Actions secrets, SSH keys, and any cloud credentials for AWS, Google Cloud, or Azure. You should also cycle API keys, database connection strings, and any secrets stored in services like AWS Secrets Manager.

Source: https://www.neowin.net/news/over-300-npm-packages-compromised-by-self-replicating-worm/

Huh. No Idea of what you are talking.

Layman terms please.

Work infiltration targeting WHOM? What should I do?

ah cmon man! this has now become a weekly issue… just recent the dev of a popular package got pwned and there was terror for an entire day before it was contained.

Nowadays it has become more scarier due to crypto. Only defense is to pin the dependency versions… imagine of something got through, it could become a big hack and easily drain billions from crypto wallets.

Hackers launched a sneaky attack called “Shai-Hulud” on software packages used by developers, specifically targeting ones related to CrowdStrike (a big cybersecurity company). They took over an official account on npm (a popular library where developers share code packages) and uploaded fake, harmful versions of nearly 500 packages. These bad packages contain malware that acts like a worm-it spreads itself by stealing secret codes (like login tokens for GitHub, AWS cloud services, or npm) from the computers of anyone who downloads and installs them.

Simply put many popular organizations are impacted.

If you are using any impcated npm package go through full list of (known) affected packages uninstall impacted version and use older verison of npm package for now.

Basically a software supply chain attack if i understand correctly