A supply-chain worm named Shai-Hulud infected roughly 200 NPM packages by adding a postinstall bundle.js that steals credentials, exfiltrates them (via webhook[.]site), creates public GitHub repositories with leaked data, and propagates to other NPM packages using maintainer credentials. Sysdig TRT and Falco/Sysdig Secure detections and mitigations are available and recommended, including package inventory queries, version pinning, credential rotation, and runtime monitoring. #Shai-Hulud #webhook.site
Keypoints
- Shai-Hulud is a self-propagating worm embedded in postinstall scripts (bundle.js) that has affected ~200 NPM packages, including @ctrl/tinycolor and packages owned by CrowdStrike.
- Upon execution the worm performs local discovery for GitHub, NPM, AWS, and GCP credentials and uses trufflehog to verify discovered secrets.
- If GitHub tokens are found, the malware creates malicious GitHub Actions and can make private repositories public by creating a “-migration” copy, and exfiltrates data to webhook[.]site.
- With valid NPM credentials the worm calls getPackagesByMaintainer() and updatePackage() to inject bundle.js into maintainer packages, enabling rapid worm-like spread.
- Detection options include Sysdig Secure runtime rules (e.g., UNIX socket reverse shell, Suspicious Domain Contacted During Package Install), Falco GitHub plugin rules for suspicious repo creation, and Threat Intelligence SysQL queries for affected package inventory.
- Recommended responses: search and roll back affected packages, version pinning, rotate exposed credentials, monitor developer environments, block npm if necessary, and check for trufflehog execution or connections to webhook[.]site.
- Rapid response by Sysdig TRT slowed further spread, but monitoring and runtime threat detection remain critical due to evolving supply-chain tactics.
MITRE Techniques
- [T1059 ] Command and Scripting Interpreter – The malware executes a large bundle.js in the postinstall phase of NPM packages (“postinstall”: “node bundle.js”) to run its malicious logic and propagation routines (“…This code targets Linux and macOS machines…”).
- [T1539 ] Steal Web Session Cookie – The worm searches for and steals GitHub tokens (ghp_*, gho_*) and uses them to access repositories and create actions (“If GitHub credentials are found, the worm uses the GitHub user and their credentials ( ghp_* and gho_* tokens)…”).
- [T1005 ] Data from Local System – Shai-Hulud conducts local discovery and searches the filesystem for credentials and cloud keys, using trufflehog to validate discovered secrets (“trufflehog filesystem . –json –results=verified”).
- [T1601 ] Modify Registry (or Package Repository) – The malware updates NPM packages by invoking updatePackage() to insert bundle.js and modify package.json to execute the malicious script in postinstall (“…invokes the updatePackage() function… The original package.json is tampered with to execute “bundle.js”.”).
- [T1110 ] Brute Force (Credential Access via Search/Discovery) – The malware enumerates repositories and tries to leverage found credentials to create persistence and exfiltrate secrets via GitHub Actions (“iterating over the repositories belonging to the user, to gain persistence and steal their associated secrets via a malicious GitHub action…”).
- [T1086 ] PowerShell/Shell Scripting (use of binaries) – The worm downloads and executes the trufflehog binary to search for secrets (“The trufflehog binary is downloaded and used to search for other sensitive credentials in the filesystem”).
- [T1537 ] Transfer Data to Cloud Account – Exfiltration to an external service is performed using webhook[.]site as a dropbox for collected credentials (“To receive the credentials, the site https://webhook[.]site is used…”).
- [T1609 ] Modify Cloud Compute Infrastructure – The malware searches IMDS endpoints for AWS/GCP credentials to access cloud resources (“Shai-Hulud also contains code that looks for AWS and GCP credentials, searching both locally in the file system and any Instance Metadata Service (IMDS) endpoints”).
Indicators of Compromise
- [Package Names ] Affected NPM packages – @ctrl/tinycolor, multiple packages owned by CrowdStrike (and ~198 more affected packages).
- [File/script ] Postinstall malicious script – bundle.js executed via “postinstall”: “node bundle.js”.
- [Domains ] Exfiltration endpoint – webhook[.]site (used to collect stolen credentials).
- [Binaries/Tools ] Tools observed – trufflehog binary execution (command: trufflehog filesystem . –json –results=verified).
- [Repository Names ] Malicious or created GitHub repos – “Shai-Hulud”, repos with “-migration” suffix, and “s1ngularity-repository” (seen in prior related attacks).