A self-replicating worm called “Shai-hulud” is rapidly infecting npm packages by stealing credentials and exfiltrating sensitive data through compromised GitHub repositories. The attack exploits npm tokens and GitHub access, turning private repositories public and adding malicious workflows, representing a significant supply chain threat. #Shaihulud #npmsecurity #GitHubThreats
Keypoints
- The Shai-hulud worm infects npm packages by injecting malicious code into maintained packages.
- It uses stolen npm, GitHub, AWS, Google Cloud, and Azure tokens to propagate and exfiltrate data.
- The malware creates public repositories and adds malicious workflows to exfiltrate secrets.
- It behaves like a true worm, spreading automatically within the npm ecosystem after initial compromise.
- The attack mainly targets developers using Linux or macOS and has similarities to past supply chain attacks like S1ngularity.