"More than 180 NPM packages were hit in a fresh supply chain attack that uses self-replicating malware to steal secrets, publish them on GitHub, and make private repositories public. As part of the attack, hackers compromised over 40 developer accounts and published more than 700 malicious package versions to the NPM registry. The attack was flagged on September 15 by Loka senior software engineer Daniel dos Santos Pereira, but started on September 14 with less than a dozen malicious packages being published."
"The script also validates the collected credentials and, if GitHub tokens are identified, it uses them to create a public repository and dump the secrets into it. Additionally, it pushes a GitHub Actions workflow that exfiltrates secrets from each repository to a hardcoded webhook (which was deactivated for exceeding the allowed callback limit), and migrates private repositories to public ones labeled 'Shai-Hulud Migration'."
More than 180 NPM packages were compromised in a supply-chain attack that used post-install scripts to deploy TruffleHog and harvest environment variables and IMDS-exposed cloud keys. Hackers compromised over 40 developer accounts and published more than 700 malicious package versions to the NPM registry. The activity began on September 14 and escalated by September 16, when repositories labeled 'Shai-Hulud Migration' appeared containing dumped secrets. The malicious code validated credentials, abused GitHub tokens to create public repositories and push workflows that exfiltrated secrets to a hardcoded webhook, which was later deactivated. Several high-download packages and multiple CrowdStrike NPM packages were affected or removed.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]