Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Latest hacking campaign targeting GitHub npm repositories can self-propagate, wipe data, and hide more effectively, experts warn.
Security researchers are once again sounding the alarm as a rampaging new version of the Shai-Hulud worm rears its rather ugly head.
Named after the fictional giant worms of the popular Dune science fiction series, the latest iteration of the worm – which first emerged in September – has already compromised 181 code packages.
“The new wave of Shai Hulud supply-chain abuse marks a critical escalation in supply chain threats and yet another attack on the npm ecosystem,” Guy Korolevski, Security Researcher at supply chain security firm JFrog, said.
“Beyond stealing credentials, this self-propagating worm now executes destructive data-wiping protocols if targets lack valuable tokens.”
Deleting data if there’s nothing interesting to steal is just one of the new variants' tricks. Rather than extracting the data it steals to a GitHub repository called \<user>/shai-hulud, the new version appears to generate a random repository name each time, making it harder to detect any leaked data.
As well as being able to extract or delete data, the new Shai-Hulud payload can perform DNS hijacking and privilege escalation, while eventually repacking itself into every npm package it can find.
“Immediate remediation requires rotating all compromised environment tokens,” Korolevski said.
“Furthermore, organisations must shift from reaction to prevention by enforcing a 14-day quarantine on new package versions, a proven buffer period that stops malicious updates like bun_environment.js from infiltrating your software supply chain.”
Patrick Münch, co-founder and CTO at vulnerability management firm Mondoo, said Shai-Hulud poses a serious risk.
“The Shai-Hulud worm poses a significant risk to the software industry and end users since it can autonomously steal sensitive developer credentials and propagate itself across hundreds of open-source software packages in the npm ecosystem,” Münch said.
“Since npm packages are integrated into millions of applications and systems globally, this means that even a single compromise can potentially affect millions of downstream users and organisations.”
You can find more details on how the worm works, and a list of compromised packages, here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
