"According to Charlie Eriksen, malware researcher at Aikido, the attacker appears to be the same one who targeted Nx at the end of August - a campaign in which developers' secrets, such as credentials, were posted to public GitHub pages. Socket and Step Security first reported the latest round of attacks on September 15, with 40 packages affected, but Eriksen has since seen 147 additional packages compromised through similar means, including those from security giant CrowdStrike."
"The way the attack works is that miscreants embed a malicious payload into compromised npm packages, often relied upon by many projects, which then runs on a victim's machine to steal secrets, system information, and credentials. Before moving to the next stage, it runs TruffleHog to scan for secrets. Researchers noted that it specifically looks out for AWS keys, GCP and Azure service credentials, GitHub personal access tokens, cloud metadata endpoints, and npm authentication tokens."
"However, Eriksen said that the attackers "have upped their game," evolving their tradecraft to adopt a self-propagating worm. In a similar style to the Nx attack, the payload then publishes a new repo via the victim's GitHub account, dropping stolen credentials and tokens, as well as making a double-encoded backup in the victim's GitHub Actions logs in case the command to send the secrets to the attacker's website fails."
The npm platform faces a supply-chain attack compromising at least 187 packages. Initial reports on September 15 identified 40 affected packages; subsequent analysis found 147 additional compromises, including packages linked to CrowdStrike. Attackers have evolved into a self‑propagating worm that embeds malicious payloads into npm packages to execute on victims' machines and harvest secrets, system information, and credentials. The payload runs TruffleHog to search for AWS, GCP and Azure service credentials, GitHub personal access tokens, cloud metadata endpoints, and npm authentication tokens. The malware creates a repository called Shai-Hulud via compromised GitHub accounts to exfiltrate and back up stolen tokens, then abuses npm tokens to update other packages and propagate further.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]