A new supply chain attack on npm, the node package manager, has injected the first malware with self-replicating worm behaviour into the JavaScript software registry, security firms say.
Security vendor Wiz said malicious versions of multiple popular packages were published to npm, which not only harvest secrets, environment variables and cloud keys through the open source TruffleHog tool, but also creates a public repository called Shai-Hulud.
That repository contains a dump of the harvested secrets, Wiz researchers said.
The malware establishes persistence by injecting a GitHub Actions workflow file named github/workflows/shai-hulud-workflow.yml, via a base64-encoded bash script, StepSecurity’s analysis of the worm suggests.
Through this, the malware is able to exfiltrate repository secrets to a command-and-control (C2) endpoint.
Code security vendor Socket said the the malicious update was to the @ctrl/tinycolor package, with 2.2 million weekly downloads, and the attack affected over 40 others across multiple maintainers.
However, the number of compromised packages rose to 180, Aikido Security reported.
Security vendor Crowdstrike had nine npm packages compromised by the Shai-Hulud malware, Aikido noted.
Crowdstrike told iTNews that it acted quickly remove the compromised packages.
“After detecting several malicious Node Package Manager (NPM) packages in the public NPM registry, a third-party open source repository, we swiftly removed them and proactively rotated our keys in public registries,” a Crowdstrike spokesperson said.
“These packages are not used in the Falcon sensor and the platform is not impacted.”
“We identified the single source and isolated it quickly, customers remain protected and do not need to take any actions,” the spokesperson added.
Wiz linked the campaign with the recent s1ngularity attack on nx npm packages, which also saw credentials being exfiltrated.
Microsoft-owned npm and GitHub are taking action to clean out the malware, with developers being advised to check for Shai-Hulud named repositories, and to rotate secrets.
The name Shai-Hulud comes from the science fiction universe of Dune, written by Frank Herbert, and suggests the worm creation was very intentional.
In Dune, Shai-Hulud is what the Fremen people call the giant sandworms native to the desert planet Arrakis.
