Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Popular code repository GitHub is taking action against hackers targeting popular JavaScript code packages to spread malware.
GitHub has addressed a recent string of hacks targeting popular JavaScript code packages in its npm ecosystem, removing hundreds of compromised packages and promising to do more to protect its open source supply chain.
The most serious such campaign saw a self-replicating worm injected into a raft of popular code packages, which promptly infected several hundred other packages, impacting coders and organisations alike.
The worm, dubbed Shai-Hulud after the repositories it created to store the credentials it stole, even managed to impact cyber security firm CrowdStrike, though the company was quick to act, and no further compromise was detected.
Since then, GitHub has removed more than 500 compromised packages from its npm registry and has blocked the uploading of any package that contains indicators of compromise linked to the Shai-Hulud worm.
The scope of the incident has been broad enough to lead the US Cybersecurity and Infrastructure Security Agency to issue an alert regarding the campaign.
“CISA is releasing this alert to provide guidance in response to a widespread software supply chain compromise involving the world’s largest JavaScript registry, npmjs.com. A self-replicating worm – publicly known as ‘Shai-Hulud’ – has compromised over 500 packages,” CISA said in a 23 September alert.
“After gaining initial access, the malicious cyber actor deployed malware that scanned the environment for sensitive credentials. The cyber actor then targeted GitHub Personal Access Tokens (PATs) and application programming interface (API) keys for cloud services, including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.”
In addition to removing the infected packages and ensuring no more can be uploaded, GitHub is taking a tranche of other measures.
“GitHub is committed to investigating these threats and mitigating the risks that they pose to the open source community,” GitHub said in a 22 September blog post.
“To address token abuse and self-replicating malware, we will be changing authentication and publishing options in the near future to only include:
In addition, GitHub will deprecate legacy classic tokens and time-based one-time passwords, limit granular tokens, set publishing access to disallow tokens by default, remove the option to bypass 2FA for local package publishing, and expand eligible providers for trusted publishing.
“When npm released support for trusted publishing, it was our intention to let adoption of this new feature grow organically,” GitHub said.
“However, attackers have shown us that they are not waiting. We strongly encourage projects to adopt trusted publishing as soon as possible, for all supported package managers.”
GitHub recommends that npm maintainers use npm-trusted publishing instead of tokens, strengthen publishing settings to require 2FA, and use WebAuthn over TOTP when configuring 2FA.
“By adopting robust security practices, leveraging available tools, and contributing to these collective efforts, we can collectively build a more secure and trustworthy open source ecosystem for all,” GitHub said.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
