"In a postmortem released by PostHog, one of the various package maintainers impacted by Shai-Hulud 2.0, the company says contaminated packages - which included core SDKs like posthog-node, posthog-js, and posthog-react-native - contained a pre-install script that ran automatically when the software was installed. That script ran TruffleHog to scan for credentials, exfiltrated any found secrets to new public GitHub repositories, then used stolen npm credentials to publish further malicious packages - enabling the worm to spread."
"According to security boffins at Wiz who uncovered the second coming of the Shai-Hulud campaign, more than 25,000 developers had their secrets compromised within three days. Along with PostHog, affected packages include those provided by Zapier, AsyncAPI, ENS Domains, and Postman, several of which have thousands of weekly downloads. Shai-Hulud 2.0 doesn't just propagate like a typical trojan - it behaves like a full-blown worm."
Attackers inserted malicious releases into core JavaScript SDKs including posthog-node, posthog-js, and posthog-react-native. The compromised packages included a pre-install script that executed TruffleHog to find credentials, exfiltrated discovered secrets to public GitHub repositories, and used stolen npm credentials to publish additional malicious packages, enabling rapid worm-like spread. Researchers at Wiz reported over 25,000 developers had secrets exposed within three days. Affected projects included Zapier, AsyncAPI, ENS Domains, and Postman. The malware could steal npm/GitHub tokens, cloud credentials, CI/CD secrets, environment variables, and other sensitive data. Revoked tokens and removal of malicious releases followed, and the root cause was a CI/CD workflow misconfiguration allowing privileged automation to run.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]