"The wormable malware spread via compromised npm packages. Once installed, it would scan infected hosts for AWS, GCP, Azure, and GitHub credentials before publishing them to users' own GitHub repositories. Wiz said the latest attacks, possibly launched by separate criminals, operate similarly to the first - scanning infected machines for secrets which the malware then publishes to victims' own repositories."
"One notable difference in Shai-Hulud 2.0, as Wiz is calling it, is that the malicious code is executed during the pre-install phase. The researchers warned that this could "significantly" increase potential exposures in build and runtime environments. As of September 24, more than 25,000 repositories had published their own secrets, and 1,000 more were being added every 30 minutes over "the last couple of hours," Wiz said on Monday morning."
Shai-Hulud is a wormable malware campaign that trojanizes npm packages to backdoor developer machines and exfiltrate secrets. Affected packages include Zapier, AsyncAPI, ENS Domains, PostHog, and Postman, many with thousands of weekly downloads. The malware scans infected hosts for AWS, GCP, Azure, and GitHub credentials and publishes stolen secrets to the victims' own GitHub repositories. The campaign first emerged in September and reappeared beginning November 21. In the initial September outbreak, more than 25,000 repositories published secrets, and cleanup by GitHub has been challenged by rapid propagation. Shai-Hulud 2.0 executes malicious code during the pre-install phase, increasing exposure in build and runtime environments.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]