The npm platform is the target of another supply chain attack, with crims already compromising 187 packages and counting.
According to Charlie Eriksen, malware researcher at Aikido, the attacker appears to be the same one who targeted Nx at the end of August – a campaign in which developers’ secrets, such as credentials, were posted to public GitHub pages.
Socket and Step Security first reported the latest round of attacks on September 15, with 40 packages affected, but Eriksen has since seen 147 additional packages compromised through similar means, including those from security giant CrowdStrike.
However, Eriksen said that the attackers “have upped their game,” evolving their tradecraft to adopt a self-propagating worm.
The way the attack works is that miscreants embed a malicious payload into compromised npm packages, often relied upon by many projects, which then runs on a victim’s machine to steal secrets, system information, and credentials.
Before moving to the next stage, it runs TruffleHog to scan for secrets. Researchers noted that it specifically looks out for AWS keys, GCP and Azure service credentials, GitHub personal access tokens, cloud metadata endpoints, and npm authentication tokens.
In a similar style to the Nx attack, the payload then publishes a new repo via the victim’s GitHub account, dropping stolen credentials and tokens, as well as making a double-encoded backup in the victim’s GitHub Actions logs in case the command to send the secrets to the attacker’s website fails.
In each case, the repository created by the malware is called Shai-Hulud, which may sound familiar to sci-fi fans as it is the name of the worm in the Dune series.
Eriksen said that this is “a clear indication of the intent of the attackers.”
The malware then abuses the valid npm tokens it finds to update other packages controlled by the victim, before publicizing any other private repos it can and inserting the same code to repeat the process.
At present, 187 npm packages are affected by the attack, although Eriksen said that the number continues to rise, with updated counts pending validation.
Among the most prominent of these are packages associated with CrowdStrike, while Step Security said that @ctrl/tinycolor, which receives around 2.2 million weekly downloads, was the most visible as of Monday.
Socket’s researchers recommended that users should uninstall any compromised versions and maintainers should pin versions that are confirmed to be unaffected.
Rotating tokens and other secrets is also advised, as is monitoring logs for unusual events. ®