On the evening of September 15, a new attack against the most popular JavaScript component — npm — began.  A number of packages — some with millions of weekly downloads — were infected with malicious code that steals tokens and authentication keys. Its most interesting feature is that it is able to spread automatically — infecting other nmp packages. Among the infected packages is the popular @ctrl/tinycolor. According to Aikido Security, almost 150 packages have been compromised — including Crowdstrike packages.

Propagation methodology

The method of the first infection and “patient zero” are currently unknown. Since the attack pattern is very similar to the recent s1ngularity incident, it may have been phishing as well. But the further chain of infection is as follows:

• Malicious code is added to compromised packages in the form of a post-installation script saved in the bundle.js file. When the victim installs the infected package, the script runs. Unlike the previous incident, the script is cross-platform and works in both *nix and Windows environments.
• The script downloads a platform-appropriate version of TruffleHog, a legitimate secret-finding tool. TruffleHog finds high-entropy strings in local file systems and available repositories. These are cryptographic keys, API tokens, and other such information.
• In addition to searching through TruffleHog, the script validates useful tokens by analyzing environment variables such as GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. It then checks if they are valid by querying the npm whoami and GitHub user API-endpoints.
• The script then compromises npm packages to which the attacked user has access with publishing rights. To do this, it downloads the current version of the infected package from npm, increments the subversion by 1, adds a link to the postinstall hook, and writes its copy to the bundle.js file. Then the trojanized “new version” of the package is published to npm.
• Then it marks the victim’s repositories as public ones, which is sometimes a separate, more important leak.

Publishing stolen data

Extracting the harvested secrets is done in two ways at the same time:

Through the GitHub repository. Malware creates a public Shai-Hulud repository on behalf of the victim and with their GitHub token. Then it uploads a JSON file with the collected secrets and system information to this repository.

Via GitHub actions. The script creates a new GitHub workflow (github/workflows/shai-hulud-workflow.yml) that encodes the collected secrets into JSON and transmits to the attacker’s webhook[.]site server.

Incident Response

The infection of the tinycolor package and dozens of others became known on the night of September 15-16, and by morning the npm administration had already started to respond by rolling back the infected packages to their clean versions. The history of processed packages does not show the malicious version at all, but the fact that it existed can be found in GitHub bulletins. Judging by the fact that there’ve been no new bulletins for five hours at the time of writing, the large-scale incident could be considered over. But given that we’re dealing with a worm, it could start all over again — unless npm blocks the publication of specific malicious files.

Those who managed to download the infected packages are advised to:

• rollback to safe versions of packages, and clearing the npm cache;
• audit CI/CD Pipeline and developer computers for unauthorized changes;
• analyze logs to identify suspicious accesses to npm publish;
• replace all NPM, GitHub, AWS, GCP and Azure keys and tokens that were available in the affected environment.

Kaspersky solutions detect this threat with the verdict Worm.Script.Shulud.*. The most complete list of affected packages can be found on GitHub.

Kaspersky official blog – ​Read More