"Information from the analysis shows that this time, the attackers focused more on collecting and distributing sensitive data than on rapidly infecting package versions. According to Wiz, approximately 400,000 raw secrets were stolen, ranging from access tokens to configuration data from CI and development environments. Notably, according to the researchers, a significant portion of the stolen NPM tokens were still valid at the time the leak was discovered."
"This means that the attack not only provides a retrospective view of what went wrong, but also poses a real and ongoing risk of new compromises. Shai-Hulud 2.0 spread via hundreds of infected package versions, writes BleepingComputer. The malicious behavior was almost always activated during NPM's preinstall event, where a script called setup_bun.js was responsible for collecting tokens, injecting additional code, and republishing packages under victims' accounts."
The NPM ecosystem is experiencing a supply-chain campaign named Shai-Hulud 2.0 that prioritized mass exfiltration of credentials and configuration over fast replication. Approximately 400,000 raw secrets were stolen, including access tokens and CI and development environment configuration data. Many stolen NPM tokens remained valid when the leak was discovered, enabling ongoing impersonation and compromise. Infection typically triggered during NPM's preinstall event via a setup_bun.js script that harvested tokens, injected code, and republished packages under compromised accounts. The new variant also includes a destructive routine capable of deleting a victim's entire home directory, with many targets running in Linux containers.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]