An ongoing software supply chain attack that made its mark this month when it compromised the popular tinycolor and more than 40 other packages in the npm registry has more recently rolled up npm packages published by cybersecurity vendor CrowdStrike.
The compromise is part of the larger Shai-Hulud campaign, which Karlo Zanki, reverse engineer at ReversingLabs, called “a first of its kind self-replicating worm on the npm open source registry. The worm … spreads through a cascading compromise of npm accounts that inserts the malicious worm code into legitimate public and private npm packages belonging to the compromised developer.”
The malware that compromised the packages published by the CrowdStrike-publisher npm account is identical to the one targeting tinycolor, which receives more than 2 million downloads a week, and other packages, right down to the malicious bundle.js script, according to Kush Pandya and Peter van der Zee, security researchers with Socket, which provides a security platform for developers.
Socket and StepSecurity had written about the earlier attacks on September 15, the day before the compromise of the CrowdStrike packages was detected. So far, the number of packages compromised by the malware appears to be well into the hundreds, including those from CrowdStrike.
“The scale, scope and impact of this attack is significant,” Charlie Eriksen, security researcher at Aikido Security, wrote in a blog post. “The attackers are using the same playbook in large parts as the original attack, but have stepped up their game. They have turned it into a full worm.”
A Secrets-Stealing Worm
The worm – which can target both Windows and Linux systems – is all about stealing secrets and then sending them to another server that the bad actors control. The bundle.js. script – the malicious JavaScript code – downloads and then executes TruffleHog, a secret scanner that searches the host system for tokens, API keys, and cloud credentials, according to Socket’s Pandya and van der Zee.
Once it validates the developer and continuous integration (CI) credentials taken, it creates unauthorized GitHub Actions workflows in repositories and exfiltrates the data to a hardcoded webhook endpoint.
“In our previous analysis, we found the payload writes a GitHub Actions workflow file named shai-hulud-workflow.yml,” the Socket researchers wrote. “Around the same time, nearly 700 public repositories titled ‘Shai-Hulud Migration’ appeared on GitHub. While the precise role of these repos is still under investigation, their naming and timing suggest they may be artifacts of attacker automation used to persist or stage the workflow.”
Using GitHub in the Campaign
Gaetan Ferry, security researcher with GitGuardian, wrote that the malicious packages use GitHub in two different ways in their post-exploitation strategy. Ferry pointed to the research by Socket and StepSecurity that found the first collected secrets from victims’ machines, stored them in a double-base64 encoded JSON document, and uploaded it to GitHub in a repository called Shai-Hulud under the victim’s organization and a file named “data.json.”
“Then, they created branches on various GitHub projects named shai-hulud and pushed a malicious GitHub action workflow file to it,” Ferry wrote.
The name “Shai-Hulud” is the name of the giant sandworms that live in the desert in Frank Herbert’s “Dune” series of books.
Campaign Continuing to Spread
“This attack is a self-propagating worm,” Wiz security researchers Merav Bar and Rami McCarthy wrote. “When a compromised package encounters additional npm tokens in a victim environment, it will automatically publish malicious versions of any packages it can access.”
ReversingLabs’ Zanki wrote that the Shai-Hulud campaign is ongoing, and “given the large number of package inter-dependencies in the npm ecosystem, it is difficult to predict who will get compromised next — and how far Shai-hulud could spread.” ReversingLabs already has detected hundreds of compromised npm packages that account for millions of combined weekly downloads.
A Range of Victims
Affected parties are numerous, he wrote, ranging from tech company founders and CTOs and software development services companies to developers working for non-profits, developers in AI-first companies, and security vendors.
One of those security vendors, CrowdStrike, dealt with the situation quickly, according to a spokesperson.
“After detecting several malicious Node Package Manager (NPM) packages in the public NPM registry, a third-party open source repository, we swiftly removed them and proactively rotated our keys in public registries,” the spokesperson told Security Boulevard. “These packages are not used in the Falcon sensor and the platform is not impacted. We identified the single source and isolated it quickly; customers remain protected and do not need to take any actions.”
Links to Previous, Similar Attacks
While the malware in the attacks on the CrowdStrike packages and those from tinycolor and others are identical, the operators behind the Shai-Hulud campaign appear to be the same ones responsible for similar attacks in the s1nhgularity/NX and GhostAction campaigns last month.
“The threat actors combined a local environment secrets extraction with a malicious GitHub actions workflow injection in accessible projects,” GitGuardian’s Ferry wrote.
What to Do
Security vendors are urging npm security teams and developers to take a number of steps, including checking the versions being used, cleaning their npm cache, reinstalling packages in their repositories, and using a package lock file and pinned versions.
They also should audit CI/CD agents, developer laptops, and anything else in environments that installed the affected versions and rotate npm tokens and other exposed secrets if the compromised packages were on machines with publishing credentials. In addition, they need to monitor logs for unusual “npm publish” or package modification activity.
