The campaign does not appear to be connected to the previous npm phishing attacks, but it does seem to be related to a rash of GitHub and npm token and secret thefts from the end of August.
There is an ongoing attack campaign that has compromised npm packages using malware that has the ability to automatically add malicious code to not just one package but also any other packages it has access to, creating the potential for a significant downstream problem for maintainers and end users.
Researchers noticed the campaign on Sept. 15 and several of the affected packages were published by CrowdStrike’s npm account. Those packages were removed quickly, but the attack campaign is still active and researchers have identified dozens of affected package, including the popular Tinycolor package.
The campaign does not appear to be connected to the previous npm phishing attacks, but it does seem to be related to a rash of GitHub and npm token and secret thefts from the end of August. That set of intrusions used automation and AI tools to scan for and harvest SSH keys, GitHub, and npm tokens.
"It doen’t look like its connected to those phishing emails but it has the same patterns. We can’t tell if it's the same actors or someone else just repurposing their tactics and taking lessons from failed attacks," said Ahmad Nassri, field CTO of Socket. "This is the third time in last four weeks we've seen something like this."
This most recent incident begins with one NPM package being compromised. Once that’s done and a user installs the malicious package, an automated script downloads TruffleHog, a popular secret-scanning tool, to find identity secrets and then attempts to validate those secrets. If it finds any GitHub secrets, the malware then creates a public GitHub repository named Shai-Hulud that contains those stolen secrets and then pushes a GitHub Actions workflow to any other repositories it has access to that steals any secrets from those repos. It also makes private repos public and uses the description Shai-Hulud Migration for them.
“This attack is a self-propagating worm. When a compromised package encounters additional npm tokens in a victim environment, it will automatically publish malicious versions of any packages it can access,” Merav Bar and Rami McCarthy of Wiz wrote in an analysis of the campaign.
“This attack is a self-propagating worm."
“Based on victimology, Wiz Research assesses this activity is tied to the recent s1ngularity / Nx supply chain attack, where initial GitHub token theft enabled the broader chain of compromise and leaking of formerly private repositories. The initial npm packages that started this chain reaction included multiple known-compromised victims of the s1ngularity attack.”
The malware has a number of functions, including exfiltrating stolen sensitive data to a webhook. That webhook has been deactivated now.
“The script combines local scanning with service specific probing. It looks for environment variables such as GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. It validates npm tokens with the whoami endpoint, and it interacts with GitHub APIs when a token is available. It also attempts cloud metadata discovery that can leak short lived credentials inside cloud build agents,” Socket researchers said.
Nassri said that the true effects of these attacks may not be known for some time.
"I'm wondering what the third and fourth degree impacts of this are. If they’re leaking secrets, maybe they can impersonate that person and take some actions behind the scenes. Who knows? That’s the stuff that scares me. Maybe they are doing stuff in the background we don’t see," he said.
The campaign appears to be ongoing, although many of the compromised packages have been removed. Researchers recommend that organizations look for potentially malicious packages in their environments and revert to known-good releases, and also search for any packages created by internal developers that have the phrase Shai-Hulud in them.
