Stealthy Infiltrator, Shai-Hulud Worm, Trespasses npm for the Purpose of Swiping Confidential Data of Hundreds
A new worm, named Shai-Hulud, has been identified in the open source npm ecosystem, causing widespread compromise and the leaking of secrets.
The worm operates by recursively finding new developers to infect, using them to spread further. Each compromised package contains a postinstall action that executes a malicious bundle.js script when downloaded. This script also installs TruffleHog, an open source tool that can detect up to 800 secrets.
The Shai-Hulud worm is linked to a similar campaign that targeted the authors of a popular package called "Nx". Initial GitHub token theft enabled the broader chain of compromise and leaking of formerly private repositories in the current campaign. The affected access tokens were issued by providers such as GitHub, npm, AWS, GCP, or Azure.
The worm is designed to steal secrets, including npm, GitHub, AWS, and GCP tokens. If the worm finds GitHub tokens, it creates a public GitHub repository named "Shai-Hulud" and dumps the victim's secrets there. Packages published by compromised npm accounts are automatically updated with the malicious bundle.js file.
JFrog warns anyone that has installed a package compromised by Shai-Hulud to assume secrets have been exfiltrated. The company urges rotating any access tokens that were stored on an affected machine, which can be identified by TruffleHog.
Wiz Research assesses that the current activity is tied to the recent s1ngularity / Nx supply chain attack. The group behind the S1ngularity attack, which targeted the popular Nx package, operated by exploiting a flawed GitHub Actions workflow to inject malicious code into Nx's npm packages. This led to a supply-chain attack that compromised thousands of developers' GitHub accounts and leaked private repositories under the prefix "s1ngularity-repository".
ReversingLabs has seen 700 victims' private repositories exposed in this way. The GitHub action is designed to exfiltrate tokens to the URL hxxps://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7, which is double Base64-encoded.
It is crucial for developers to be vigilant and regularly check their repositories for any unusual activity. Rotating access tokens and using strong, unique passwords can help prevent such attacks in the future.
