"Attackers involved in the campaign have been exploiting compromised package maintainer accounts to publish trojanized versions of legitimate npm packages that appear to originate from the official source. Once downloaded, the malware scans for credentials and CI/CD secrets, which are then published to the user's own repositories. It also inserts the malicious payload into all of the users' available npm packages, spreading the infection."
"This time round, the malware has affected more than 19,000 GitHub repositories and compromised around 700 npm packages, including core libraries from Zapier and the Ethereum Name Service (ENS) ecosystem, along with PostHog and Postman. According to Wiz Threat Research, the attack is accelerating at around 1,000 new repos every 30 minutes. Meanwhile, if the malware fails to authenticate or establish persistence, it attempts to destroy the victim's entire home directory, deleting every writable file owned by the current user under their home folder."
Attackers exploit compromised package maintainer accounts to publish trojanized versions of legitimate npm packages that appear to originate from the official source. Once installed, the malware scans for credentials and CI/CD secrets, publishes those secrets to the user's own repositories, and injects the malicious payload into all of the user's available npm packages to propagate the infection. The campaign has affected more than 19,000 GitHub repositories and compromised around 700 npm packages, including core libraries from Zapier, the Ethereum Name Service (ENS) ecosystem, PostHog, and Postman. The attack is accelerating at roughly 1,000 new repositories every 30 minutes. New tactics include execution via install lifecycle scripts and new payload files setup_bun.js and bun_environment.js. If authentication or persistence fails, the malware attempts to destroy the victim's entire home directory by deleting every writable file owned by the current user under their home folder. GitHub is removing attacker-created repositories, but threat actors continue creating new repositories as part of ongoing activity. The campaign references Shai-Hulud naming and tradecraft while potentially involving different actors.
Read at IT Pro
Unable to calculate read time
Collection
[
|
...
]