"“Shai-Hulud: Open Sourcing The CarnageIs it vibe coded? Yes. Does it work? Let results speak. Change keys and C2 as needed. Love - TeamPCP”"
"Ox's analysts looked at the source code in the repos and believe it displays the same patterns from previous Shai-Hulud attacks are immediately recognizable, as expected. This includes uploading stolen credentials to a new GitHub repository. TeamPCP isn't just spreading malware anymore they're spreading capability. By going open source, they've handed any willing actor the tools to build their own variant. The copycats are already here, Ox opined."
"“The Shai-Hulud worm attacks npm packages, and if it can infect them looks for credentials for users of AWS, GCP, Azure, and GitHub credentials. If it gains access, it creates and publishes poisoned code to perpetuate itself. If the malware can't achieve its objectives, it sometimes tries to wipe the local environment in an act of self-destructive vengeance.”"
Shai-Hulud worm source code associated with TeamPCP was found on GitHub in repositories containing instructions to change keys and command-and-control details. The repositories showed growth in forks, indicating independent actors are already modifying and extending the malware. Analysts identified recognizable patterns from prior Shai-Hulud activity, including uploading stolen credentials to a new GitHub repository. The worm targets npm packages and, upon infection, searches for credentials for AWS, GCP, Azure, and GitHub users. If access is obtained, it creates and publishes poisoned code to continue propagation. If objectives fail, it may wipe the local environment as self-destructive behavior.
Read at www.theregister.com
Unable to calculate read time
Collection
[
|
...
]