Cybersecurity experts have uncovered a widespread supply chain attack on npm packages, involving at least 187 compromised packages containing self-propagating malware. The campaign, called ‘Shai-Hulud’, targets prominent packages and abuses tools like TruffleHog to exfiltrate secrets and create unauthorized workflows. #ShaiHulud #npmSupplyChainAttack
Keypoints
- Over 187 npm packages have been compromised in a large-scale supply chain attack.
- The attack, named ‘Shai-Hulud’, involves a worm-like malware that propagates automatically.
- Malicious code injects a bundle.js script that abuses TruffleHog to steal secrets and credentials.
- Targeted packages include those published by CrowdStrike and affected popular projects like @ctrl/tinycolor.
- Developers are advised to audit dependencies, rotate secrets, and restrict publishing credentials to prevent further damage.