Second Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft

Second Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft

Briefly

"Multiple security vendors are sounding the alarm about a second wave of attacks targeting the npm registry in a manner that's reminiscent of the Shai-Hulud attack. The new supply chain campaign, dubbed Sha1-Hulud, has compromised hundreds of npm packages, according to reports from Aikido, HelixGuard, Koi Security, Socket, and Wiz. "The campaign introduces a new variant that executes malicious code during the preinstall phase, significantly increasing potential exposure in build and runtime environments," Wiz researchers Hila Ramati, Merav Bar, Gal Benmocha, and Gili Tikochinski said."

"The prior wave was characterized by the compromise of legitimate packages to push malicious code designed to search developer machines for secrets using TruffleHog's credential scanner and transmit them to an external server under the attacker's control. The infected variants also came with the ability to propagate in a self-replicating manner by re-publishing itself into other npm packages owned by the compromised maintainer."

"In the latest set of attacks, the attackers have been found to add to a preinstall script ("setup_bun.js") in the package.json file, which is configured to stealthily install or locate the Bun runtime and run a bundled malicious script ("bun_environment.js"). The malicious payload carries out the following sequence of actions through two different workflows - Registers the infected machine as a self-hosted runner named "SHA1HULUD" and adds a workflow called .github/workflows/discussion.yaml that contains an injection vulnerability and runs specifically on self-hosted runners,"