Hundreds of malicious packages infected with Shai-Hulud malware have been published on npm to steal secrets from developers and CI/CD pipelines, with stolen data uploaded to GitHub repositories. The attack has rapidly expanded, affecting well-known packages like Zapier, ENS Domains, and PostHog, highlighting the ongoing risk of supply-chain compromises. #ShaiHulud #npmSupplyChain
Keypoints
- Malicious npm packages are used to steal developer and CI/CD secrets.
- The campaign has grown to over 27,000 trojanized packages with rapid additions every 30 minutes.
- Stealing malware is embedded in obfuscated scripts that execute during the pre-install stage.
- Stolen secrets are published on GitHub repositories with references to Shai-Hulud.
- Developers are advised to update packages, rotate secrets, and disable postinstall scripts to mitigate risks.