"A large-scale cyberattack has once again hit the NPM ecosystem. Following the first Shai-Hulud worm in September, more than 1,000 package versions have now been compromised. The attack focuses on stealing credentials and spreads automatically via NPM packages. A few months after the first major attack in September, the package registry was once again hit by a variant of the Shai-Hulud worm. In addition to the original 459 identified packages, the JFrog research team discovered another 181 compromised versions."
"The malware works similarly to the previous attack. It is a self-propagating worm that steals user secrets, uploads them to a public GitHub repo, and then repackages itself into all available NPM packages belonging to the user. The attackers are using a new payload in bun_environment.js instead of bundle.js. Sha1-Hulud: The Second Coming The attackers have dubbed this campaign "Sha1-Hulud: The Second Coming." This is visible in the repository descriptions where stolen credentials are stored."
A self-propagating Shai-Hulud worm variant has compromised more than 1,000 NPM package versions. The malware steals user secrets and uploads them to public GitHub repositories, then repackages itself into packages owned by infected users. The attackers replaced the original bundle.js payload with bun_environment.js and generate random repository names labeled "Sha1-Hulud: The Second Coming." The malware exfiltrates access tokens for GitHub, NPM, AWS, GCP, Azure, and any credentials detectable by TruffleHog. Affected developers must reset all access tokens, inspect GitHub for newly created random-name repositories, and check NPM accounts for unexpected new package versions or post-install scripts.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]