Selfpropagating supply chain attack hits 187 npm packages
pSonicWall Firewall configs stolen for all cloud backup customersppNew FileFix attack uses cache smuggling to evade security softwareppHackers claim Discord breach exposed data of 55 million usersppGoogles new AI bug bounty program pays up to 30000 for flawsppHarvard investigating breach linked to Oracle zeroday exploitppThe 380 refurbished Surface Laptop 3 with i7 performance and 16GB RAMppFake Inflation Refund texts target New Yorkers in new scamppGet your first year of Sams Club membership for 15 MSRP 50ppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppRemove the Theonlinesearchcom Search RedirectppRemove the Smartwebfindercom Search RedirectppHow to remove the PBlock adware browser extensionppRemove the Toksearchesxyz Search RedirectppRemove Security Tool and SecurityTool Uninstall GuideppHow to Remove WinFixer Virtumonde Msevents TrojanvundoppHow to remove Antivirus 2009 Uninstall InstructionsppHow to remove Google Redirects or the TDSS TDL3 or Alureon rootkit using TDSSKillerppLocky Ransomware Information Help Guide and FAQppCryptoLocker Ransomware Information Guide and FAQppCryptorBit and HowDecrypt Information Guide and FAQppCryptoDefense and HowDecrypt Ransomware Information Guide and FAQppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppSecurity researchers have identified at least 187 npm packages compromised in an ongoing supply chain attack with a malicious selfpropagating payload to infect other packagesppThe coordinated wormstyle campaign dubbed ShaiHulud started yesterday with the compromise of the ctrltinycolor npm package which receives over 2 million weekly downloadsppSince then the campaign has expanded significantly and now includes packages published under CrowdStrikes npm namespaceppYesterday Daniel Pereira a senior backend software engineer alerted the community to a largescale software supply chain attack affecting the worlds largest JavaScript registry npmjscomppThere is a sic malware spreading live in npm as you read this wrote the engineer cautioning everyone to refrain from installing the latest versions of the ctrltinycolor projectppPereira had been trying to get GitHubs attention in the last 24 hours through more discreet channels to discuss the ongoing attack as a lot of repos were targeted and disclosing the attack publicly could put people at riskppBut contacting GitHub is too hard For instance secrets are being exposed in repos This is serious wrote the engineerppSoftware supply chain security firm Socket began investigating the compromise and identified at least 40 packages that were compromised in this campaign Today both Socket and Aikido researchers have identified additional packages bringing the count up to at least 187 ppStepSecurity also published a technical breakdown with deobfuscated snippets and attackflow diagrams largely confirming Sockets initial findingsppAffected packages include several ones published by CrowdStrikes npmjs account crowdstrikepublisherppBleepingComputer reached out to the cybersecurity solutions provider for commentppAfter detecting several malicious Node Package Manager NPM packages in the public NPM registry a thirdparty open source repository we swiftly removed them and proactively rotated our keys in public registries a CrowdStrike spokesperson shared with BleepingComputer
These packages are not used in the Falcon sensor the platform is not impacted and customers remain protected We are working with NPM and conducting a thorough investigationppThe compromised versions include a selfpropagating mechanism that targets other packages by the same maintainerppThe malware downloads each package by a maintainer modifies its packagejson injects a bundlejs script shown below repacks the archive and republishes it thereby enabling automatic trojanization of downstream packages as Socket researchers explainedppThe bundlejs script makes use of TruffleHog a legitimate secret scanner that can be used by developers and security professionals to find accidentally leaked sensitive information like API keys passwords and tokens within code repositories and other data sourcesppThe malicious script however abuses the tool to search the host for tokens and cloud credentialsppIt validates and uses developer and CI credentials creates a GitHub Actions workflow inside repositories and exfiltrates results to a hardcoded webhook hxxpswebhooksitebb8ca5f6417545d2b042fc9ebb8170b7 explains SocketppThe name ShaiHulud comes from the shaihuludyaml workflow files used by malware found in the compromised versions and is a reference to the giant sandworms in Frank Herberts Dune seriesppWhile not a unique reference its presence reinforces that the attacker deliberately branded the campaign ShaiHulud stated Socket researchers Kush Pandya and Peter van der Zee todayppThe malware found in additional packages identified today is identical to the previous strand that used bundlejs toppWhat makes this supplychain attack stand out beyond the popular packages it hit is its timingppThe attack follows two highprofile supply chain attacks occurring in the same monthppThe first week of September AIpowered malware hit 2180 GitHub accounts in what was dubbed the s1ngularity attackppWhile the root cause of todays attack is still being investigated practitioners including Pereira hypothesize that todays attack may have been orchestrated by the attackers behind s1ngularityppEarlier this month maintainers of the popular chalk and debug npm packages also fell victim to phishing in a separate attack leading to their projects being compromised ppThe ripple effects of these attacks extend deep into the dependency chain potentially impacting widely used projects such as Google Gemini CLI which released a statement over the weekendppWe want to be clear The Gemini CLI source code itself was not compromised and our servers remain secure wrote Ryan J Salva Googles Senior Director of Product ManagementppHowever this incident may have affected users who installed or updated the Gemini CLI during the attack window using the NPM installation method We are providing details on the incident clarifying who is impacted and outlining the steps users should take to ensure their systems are secureppThese ongoing attacks demonstrate the fragility of the modern software supply chain where a single malicious pull request or compromised maintainer account can ripple out to hundreds of projectsppWhile vendors like Google and CrowdStrike stress their core platforms remain secure the incident underscores the urgent need for developers to safeguard their software builds and pipelinesppAffected users should audit their environments and logs for signs of compromise rotate all secrets and CICD tokens and review dependency trees for malicious versions Pinning dependencies to trusted releases and limiting the scope of publishing credentials remain critical steps to reduce exposure to packagelevel compromisesppJoin the Breach and Attack Simulation Summit and experience the future of security validation Hear from top experts and see how AIpowered BAS is transforming breach and attack simulationppDont miss the event that will shape the future of your security strategyppWhats it going to take to shakeup GitHub to get them to respond to responsible disclosures more promptly ppYesterday Daniel Pereira a senior backend software engineer alerted the community to a largescale software supply chain attack So that was the 15th I knew about this on the 8thppNot a member yet Register NowppFBI takes down BreachForums portal used for Salesforce extortionppWindows 11 23H2 Home and Pro reach end of support in 30 daysppApple now offers 2 million for zeroclick RCE vulnerabilitiesppRedefine security validation with Picus AIdriven Breach and Attack SimulationppMake the leapget certified with VMUG Advantage Start your career journey todayppThe role of Artificial Intelligence in todays cybersecurity landscapeppJoin Huntress to discuss all things tradecraft in a monthly meeting of the technical mindsppSee how Material secures Gmail Drive with EDRstyle detection and rapid responseppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp
These packages are not used in the Falcon sensor the platform is not impacted and customers remain protected We are working with NPM and conducting a thorough investigationppThe compromised versions include a selfpropagating mechanism that targets other packages by the same maintainerppThe malware downloads each package by a maintainer modifies its packagejson injects a bundlejs script shown below repacks the archive and republishes it thereby enabling automatic trojanization of downstream packages as Socket researchers explainedppThe bundlejs script makes use of TruffleHog a legitimate secret scanner that can be used by developers and security professionals to find accidentally leaked sensitive information like API keys passwords and tokens within code repositories and other data sourcesppThe malicious script however abuses the tool to search the host for tokens and cloud credentialsppIt validates and uses developer and CI credentials creates a GitHub Actions workflow inside repositories and exfiltrates results to a hardcoded webhook hxxpswebhooksitebb8ca5f6417545d2b042fc9ebb8170b7 explains SocketppThe name ShaiHulud comes from the shaihuludyaml workflow files used by malware found in the compromised versions and is a reference to the giant sandworms in Frank Herberts Dune seriesppWhile not a unique reference its presence reinforces that the attacker deliberately branded the campaign ShaiHulud stated Socket researchers Kush Pandya and Peter van der Zee todayppThe malware found in additional packages identified today is identical to the previous strand that used bundlejs toppWhat makes this supplychain attack stand out beyond the popular packages it hit is its timingppThe attack follows two highprofile supply chain attacks occurring in the same monthppThe first week of September AIpowered malware hit 2180 GitHub accounts in what was dubbed the s1ngularity attackppWhile the root cause of todays attack is still being investigated practitioners including Pereira hypothesize that todays attack may have been orchestrated by the attackers behind s1ngularityppEarlier this month maintainers of the popular chalk and debug npm packages also fell victim to phishing in a separate attack leading to their projects being compromised ppThe ripple effects of these attacks extend deep into the dependency chain potentially impacting widely used projects such as Google Gemini CLI which released a statement over the weekendppWe want to be clear The Gemini CLI source code itself was not compromised and our servers remain secure wrote Ryan J Salva Googles Senior Director of Product ManagementppHowever this incident may have affected users who installed or updated the Gemini CLI during the attack window using the NPM installation method We are providing details on the incident clarifying who is impacted and outlining the steps users should take to ensure their systems are secureppThese ongoing attacks demonstrate the fragility of the modern software supply chain where a single malicious pull request or compromised maintainer account can ripple out to hundreds of projectsppWhile vendors like Google and CrowdStrike stress their core platforms remain secure the incident underscores the urgent need for developers to safeguard their software builds and pipelinesppAffected users should audit their environments and logs for signs of compromise rotate all secrets and CICD tokens and review dependency trees for malicious versions Pinning dependencies to trusted releases and limiting the scope of publishing credentials remain critical steps to reduce exposure to packagelevel compromisesppJoin the Breach and Attack Simulation Summit and experience the future of security validation Hear from top experts and see how AIpowered BAS is transforming breach and attack simulationppDont miss the event that will shape the future of your security strategyppWhats it going to take to shakeup GitHub to get them to respond to responsible disclosures more promptly ppYesterday Daniel Pereira a senior backend software engineer alerted the community to a largescale software supply chain attack So that was the 15th I knew about this on the 8thppNot a member yet Register NowppFBI takes down BreachForums portal used for Salesforce extortionppWindows 11 23H2 Home and Pro reach end of support in 30 daysppApple now offers 2 million for zeroclick RCE vulnerabilitiesppRedefine security validation with Picus AIdriven Breach and Attack SimulationppMake the leapget certified with VMUG Advantage Start your career journey todayppThe role of Artificial Intelligence in todays cybersecurity landscapeppJoin Huntress to discuss all things tradecraft in a monthly meeting of the technical mindsppSee how Material secures Gmail Drive with EDRstyle detection and rapid responseppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp
