"Shai Hulud was first observed in September and specifically targets the JavaScript ecosystem. Instead of attacking end users, the malware focuses on developers by hiding malicious code in npm packages. Once such a package is installed, the malware attempts to collect sensitive information, including environment variables, API keys, and secrets from cloud and CI/CD environments. This data is then automatically leaked to GitHub repositories created by the attacker."
"The newly discovered variant, referred to by researchers as Shai Hulud 3.0, shows that the attackers continue to refine their techniques. The code has been further split up, more heavily obfuscated, and modified to better handle errors while stealing secrets. The malware is also now more compatible with various JavaScript runtimes, including Windows environments, which previous variants did not reliably support."
Aikido Security discovered a third variant of JavaScript malware Shai Hulud hidden in the npm package @vietmoney/react-big-calendar. The compromise appears to be a controlled test with no signs of large-scale distribution. The malware targets developers by embedding in npm packages and collects environment variables, API keys, and secrets from cloud and CI/CD environments, then leaks data to GitHub repositories created by the attacker. Shai Hulud 3.0 splits code further, increases obfuscation, adds error handling, and improves compatibility with JavaScript runtimes including Windows. A programming error with mismatched download filenames indicates active experimentation. The code appears rebuilt with access to the original source and lacks a dead man switch.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]