"The infamousTeamPCP hacking group that besieged the open source software ecosystem several times over the past half year has released the source code of its Shai-Hulud worm, opening the door to copycat attacks. The code was shared via GitHub repositories under several users and was accompanied by detailed instructions on how to use it. While GitHub removed the repos, multiple forks also appeared, Datadog says."
"The repositories also contained the "Shai-Hulud: Open Sourcing The Carnage" message from the hacking group itself, which states the intended purpose of the release, namely to fuel more supply chain attacks. In fact, security researchers stumbled upon a separate announcement from TeamPCP and BreachForums encouraging cybercriminals to participate in a "supply chain challenge" in exchange for monetary rewards."
"Miscreants were instructed to use the Shai-Hulud worm in their attacks, provide proof of intrusion, and cause as much downstream impact as possible to win the challenge. "These two events together will bring about a period of innovation for Shai Hulud, likely spawning several variants of the malware," said Black Duck principal cybersecurity engineer Ben Ronallo."
"Datadog's analysis of the source code revealed a modular framework containing loaders, secrets-harvesting modules, an information collector, a dispatcher, exfiltrators, and mutators. It also revealed artifacts seen in previous Shai-Hulud attacks, including the targeting of numerous developer and cloud credentials, API keys, tokens, and other types of secrets; the"
The Shai-Hulud worm source code was released by the TeamPCP hacking group through GitHub repositories under multiple users, along with detailed instructions for use. GitHub removed the repositories, but forks appeared and remained available. The repositories included a message stating the release was intended to fuel additional supply chain attacks. Separate announcements encouraged cybercriminals to join a “supply chain challenge” for monetary rewards by using the worm, providing proof of intrusion, and maximizing downstream impact. Researchers found threat actors quickly modified the code and launched new attacks because deployment details were included. Analysis showed a modular framework with loaders, secrets-harvesting modules, information collection, dispatching, exfiltration, and mutation components, targeting developer and cloud credentials, API keys, tokens, and other secrets.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]