- A new supply chain attack committed at least 187 NPM packages, aimed at developer secrets in all software projects
- Shai-Hulud Worm seeks
- Researchers warn that the number of committed packages is likely to grow
At least 187 Malicious NPM packages have been discovered, part of a more important supply chain attack against software developers.
Socket security researchers, Stepsecury and Aikido detected an ongoing campaign, apparently organized by the same group that went to NX several weeks ago.
Similar to that campaign, in this, the criminals were also after the developer secrets, including the login credentials, the AWS keys, the GCP and Azure service credentials, the GitHub personal access tokens, the final points of cloud metadata or the NPM authentication tokens.
Many affected
However, the attack methodology evolved, the researchers said.
“The scale, scope and impact of this attack are significant,” they explained. “The attackers are using the same play book in large part as the original attack, but have intensified their game.”
This time, the attackers created a worm, called Shai-Hulud (a wink to the dune worm), which not only steals secrets and publicly publishes them (using tools such as Trufflehog and questions at the final points of the cloud metadata), but also drops a malicious github action that sends secrets to an accountant attacker to the attacker to the attacker with the attacker That the logmas inhale them, and they use and use them and use and use them, and use them and use them, and use the logmen, and use them and use the logmen, and use them and use the logmen, and use them, and use them to logmen, and use them, and use them and grant them Stolen, and grants them to the logmen, and gives them Stolen, And he gives Stolen, and gives Stolen, and gives them. Tokens to modify and publish each package that the maintainer controls, embeding the worm in each.
Among the compromised NPM packages are those of Crowdstrike cybersecurity experts, as well as others with millions of weekly discharges.
Crowdstrike, in the end, did what he could to mitigate the risk and minimize the damage.
“After detecting several packages of malicious node packages (NPM) in the NPM Public Registry, an open third -party source repository, we quickly eliminate them and proactively turn our keys in public records,” said a Crowdstrike spokesman, the record reports.
“These packages are not used in the Falcon sensor, the platform is not affected and customers are still protected. We are working with NPM and carrying out an exhaustive investigation.”
At this time, the number of packages affected by the attack is in 187, the researchers warned that the number will probably continue to increase. Some potentially compromised packages are currently pending validation.
Through The registration
