At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike, steals and publishes even more credentials every time an infected package is installed.
Image: https://en.wikipedia.org/wiki/Sandworm_(Dune)
The novel malware strain is being dubbed Shai-Hulud — after the name for the giant sandworms in Frank Herbert’s Dune novel series — because it publishes any stolen credentials in a new public GitHub repository that includes the name “Shai-Hulud.”
“When a developer installs a compromised package, the malware will look for a npm token in the environment,” said Charlie Eriksen, a researcher for the Belgian security firm Aikido. “If it finds it, it will modify the 20 most popular packages that the npm token has access to, copying itself into the package, and publishing a new version.”
At the center of this developing maelstrom are code libraries available on NPM (short for “Node Package Manager”), which acts as a central hub for JavaScript development and provides the latest updates to widely-used JavaScript components.
The Shai-Hulud worm emerged just days after unknown attackers launched a broad phishing campaign that spoofed NPM and asked developers to “update” their multi-factor authentication login options. That attack led to malware being inserted into at least two-dozen NPM code packages, but the outbreak was quickly contained and was narrowly focused on siphoning cryptocurrency payments.
Image: aikido.dev
In late August, another compromise of an NPM developer resulted in malware being added to “nx,” an open-source code development toolkit with as many as six million weekly downloads. In the nx compromise, the attackers introduced code that scoured the user’s device for authentication tokens from programmer destinations like GitHub and NPM, as well as SSH and API keys. But instead of sending those stolen credentials to a central server controlled by the attackers, the malicious nx code created a new public repository in the victim’s GitHub account, and published the stolen data there for all the world to see and download.
Last month’s attack on nx did not self-propagate like a worm, but this Shai-Hulud malware does and bundles reconnaissance tools to assist in its spread. Namely, it uses the open-source tool TruffleHog to search for exposed credentials and access tokens on the developer’s machine. It then attempts to create new GitHub actions and publish any stolen secrets.
“Once the first person got compromised, there was no stopping it,” Aikido’s Eriksen told KrebsOnSecurity. He said the first NPM package compromised by this worm appears to have been altered on Sept. 14, around 17:58 UTC.
The security-focused code development platform socket.dev reports the Shai-Halud attack briefly compromised at least 25 NPM code packages managed by CrowdStrike. Socket.dev said the affected packages were quickly removed by the NPM registry.
In a written statement shared with KrebsOnSecurity, CrowdStrike said that after detecting several malicious packages in the public NPM registry, the company swiftly removed them and rotated its keys in public registries.
“These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected,” the statement reads, referring to the company’s widely-used endpoint threat detection service. “We are working with NPM and conducting a thorough investigation.”
A writeup on the attack from StepSecurity found that for cloud-specific operations, the malware enumerates AWS, Azure and Google Cloud Platform secrets. It also found the entire attack design assumes the victim is working in a Linux or macOS environment, and that it deliberately skips Windows systems.
StepSecurity said Shai-Hulud spreads by using stolen NPM authentication tokens, adding its code to the top 20 packages in the victim’s account.
“This creates a cascading effect where an infected package leads to compromised maintainer credentials, which in turn infects all other packages maintained by that user,” StepSecurity’s Ashish Kurmi wrote.
Eriksen said Shai-Hulud is still propagating, although its spread seems to have waned in recent hours.
“I still see package versions popping up once in a while, but no new packages have been compromised in the last ~6 hours,” Eriksen said. “But that could change now as the east coast starts working. I would think of this attack as a ‘living’ thing almost, like a virus. Because it can lay dormant for a while, and if just one person is suddenly infected by accident, they could restart the spread. Especially if there’s a super-spreader attack.”
For now, it appears that the web address the attackers were using to exfiltrate collected data was disabled due to rate limits, Eriksen said.
Nicholas Weaver is a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif. Weaver called the Shai-Hulud worm “a supply chain attack that conducts a supply chain attack.” Weaver said NPM (and all other similar package repositories) need to immediately switch to a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method.
“Anything less means attacks like this are going to continue and become far more common, but switching to a 2FA method would effectively throttle these attacks before they can spread,” Weaver said. “Allowing purely automated processes to update the published packages is now a proven recipe for disaster.”
ts so fye
““Allowing purely automated processes to update the published packages is now a proven recipe for disaster.”
Even a dummy like me could’ve figured that out.
I would expect such stupid comment from a “Wannabe Techguy”
Good luck ever get past the “Wannabe” stage chief….
To Actual_Tech_Guy: Rude comment, why so rude? Lack of coffee? @$$hole?
Wannabe Techguy has a point, it all depends on your organization’s risk tolerance.
I bet OP is a CTO with a good sense of humor, and you have merely dunked on yourself with your rudeness.
Having never been a CTO, but having been a consultant for decades, it’s difficult to hypothesize why you believe that this comment is a good idea, but regardless…
This guy posts here a lot. Doesn’t make him a friend. He may as well be a defunct programming language from the frigging 90s, for all the good it’d do. Though I guess people still use that language to do ‘trampolines’ (somewhat illegitimate if you ask me)… The other place I’ve seen bugs like this proliferate.
Whatever. A lot of places do still use some form of encryption-based infrastructure to automate things.
Your username brought me joy
What is the scope of the infection. For example, does this malware affect end users, just the developers, or both?
the title is redundant – worms are, by definition, self-replicating…
hohoho
If developers are getting phished and spoofed, what hope for normal end users?
developers are idiots tbh desu
“No way to prevent this” says users of only package ecosystem where this regularly happens.
Hey Brian,
I’ve been wondering, what are the legal obligations on the part of, eg, GitHub, GitLab, Reddit, etc? Can publicly traded companies being used to propagate worm-like (this is worm-like, not precisely a worm, if I am reading correctly; doesn’t really matter, though, I guess) be legally pursued/sued by ‘victim companies’ for supporting this? I mean, moreso than the pastebin type stuff being used a decade or two ago to grab configurations for crappy little bots and stuff (afaik, not public)? Clearly there is profit being made by actors other than the promulgators of this worm, even if they don’t necessary want that activity on their servers.
Thanks.
>CrowdStrike
Isn’t this the same vendor with connections in three-letter agencies that bricked millions of Windows-based computers worldwide about a year ago due to a bug in its “anti-virus” software? The hillarious case when banks and airports went offline for a day or so?
They werent bricked, they needed a reboot, thats it. Still a major pain, but theres a reason the criminals are targeting Crowdstrike, because Crowdstrike is a major thorn in their side.
Effectively they were bricked. A reboot wasn’t enough; they had to reboot the computer in Safe Mode as administrator to fix the broken driver. But many people around the world work on computers with blocked administrator access due to security policies, and if they work remotely, they’re out of luck, as administrators would need to be on-site to fix the problem.
I can only imagine the kind of housewife-level circus going on at CrowdStrike if they allow such incidents to occur. I’m willing to bet that with such incompetence, their software won’t work against real threats.
What do you think about this? Let me know your opinion via mail to assad-mossad@crowdstrike.com
“they had to reboot the computer in Safe Mode as administrator to fix the broken driver”
perhaps we have different definitions of “bricked” really
Did banks, hospitals and airports go offline for a day (in some cases for a few days) or no?
Okay, let’s say they were not “bricked”, FartStrike just accidentally committed attack on US critical infrastructure. I hope it sounds more plausible to you.
I’m just saying bricked means something else.
You do not fix bricked by pressing f8.
Our researchers at ReversingLabs did their own post on this: https://www.reversinglabs.com/blog/shai-hulud-worm-npm
Regarding the worry of doing auto-update, there are a few considerations to add to the balance:
1- We are talking about NPN packages, that usually require a pipeline to: (a) download the last version, (b) re-package or re-compile the code, (c) re-test, (d) Run the AppSec SAST/SCA tools, (e) create tickets to fix new H/C vulnerabilities, (f) deploy in nightly releases, (g) get feedback, (h) and sign-of before pushing to (i) production. Infected systems are the ones NOT following the process (that can be partially automated, but not sign-of part!!!). So think of this worm as a “thermometer” for bad SDLC practices, in case you are afraid of it, go check your SDLC first…
2- Long ago, running auto-update could break a lot of things… back on the 90’s era, when we had too many custom drivers installed on either OS’s (Win and Linux), and updates used to break lots of integrations, (and printers stop working again!?!).nowadays integrations are much more controlled, and running updates ASAP is recommended. Remember there are also day-1 exploits (created by reverse engineering the vulnerable code, compared to the fixed version) that makes it risky to keep using vulnerable versions of libraries and software.
3- Please Implement MFA everywhere. I know people don’t like it, that’s why you should mandate it by policy and system controls! Seriously, you may trust a person, but never that person machine! MFA can stop automations to run wild and improve a lot the security. And if you need a fully automation, create a system-to-system account, limit it’s use and monitor it. Integrations with MFA using phones as something you have are so easy and seamless to implement. No excuses. Seriously!
This is one of the most sensible comments I have read on this site for awhile. Thank you.
I generally agree but the problem is that even in your scenario of a proper SDLC the SCA/SAST check will likely pass without raising any errors for a worm infected package—until the attack is discovered. Then I would expect SCA etc to alert on it.