${intro} ${title}
${lead}
${lead}
${lead}
The attackers have learned from their mistakes and have now developed a more aggressive version of the worm. It has already stolen over 27,000 credentials.
(Image: amgun/ Shutterstock.com)
A new worm is infecting NPM packages en masse and stealing credentials. The code of the malware contains the identifier "SHA1HULUD," which is why security analysts are calling it "Shai-Hulud 2.0." However, it is unclear whether the same attackers actually deployed both versions on the npm ecosystem or if they are opportunists. Either way, the malware developers have learned from the first attack wave and eliminated bottlenecks. Cleanup is underway, and developers and users should be on their guard.
Over 425 npm packages with over 100 million monthly downloads were infected on Monday afternoon, including prominent names: packages related to ENS domains (Ethereum Name Service), various API, low-code, and no-code platforms like Zapier and Postman. The packages "go-template" and various repositories under "AsyncAPI" were apparently affected first, uploaded between November 21st and 23rd, i.e., over a weekend.
The malware searches the compromised repositories for credentials and publishes them under the victim's account on GitHub. Their designation is "Sha1-Hulud: the Second Coming," which makes them easier to find. This is how the developers circumvent a central bottleneck of the last worm outbreak: a webhook platform was used at the time, which promptly blocked the misused endpoint. GitHub is diligently removing affected repositories meanwhile, but is apparently fighting a losing battle: the attack campaign continues and new code directories are constantly being created: around 2:30 PM on Monday afternoon, there were over 27,800.
Videos by heise
Several GitHub workflows are used to steal credentials and install a backdoor on infected machines. This can be controlled via the discussion function in the infected repositories -- a self-hosted command and control server (C&C), so to speak. A second workflow with the misleading name "Code Formatter" searches for secrets of the attacked GitHub account and uploads them in JSON format. Sha1-Hulud apparently supports Linux, Windows, and macOS with adapted malware.
The attack comes just a few days before a far-reaching security change at npm: The operators of the ecosystem had announced that they would abolish "classic tokens" for authenticating package managers. The change will take effect on December 9th; the developers of Sha1-Hulud likely wanted to strike one last time before then.
The full list of affected packages, as reported by Wiz, Koi, and Aikido concurrently on Monday afternoon, can be found here:
The specialists at Wiz are cautious about attributing the worm to an attacker group or nation; attribution cannot yet be confirmed. Many methods of the current outbreak are similar to the previous Shai-Hulud worm, but there are also differences.
To detect and stop infections, organizations should first check their entire development infrastructure for suspicious signs -- especially for known infected packages. These should be discarded immediately, automatic package updates should be temporarily disabled, and in case of suspected infection, admins should rotate all credentials. This applies to development platforms like GitHub and npm, but also to access to hyperscalers like GCP, AWS, and Azure.
(cku)
