Self-Replicating Shai-Hulud Worm Spreads Token-Stealing Malware on npm
Summary:
On September 15, ReversingLabs researchers discovered the Shai-hulud worm on the npm open-source registry, a self-replicating piece of malware that compromises npm accounts. This worm spreads by injecting its malicious code into legitimate public and private npm packages maintained by the compromised developer accounts. It has been found in hundreds of npm packages, including popular ones with millions of combined weekly downloads like ngx-bootstrap, ng2-file-upload, and @ctrl/tinycolor. As of this morning, over 40 developer accounts have been compromised and over 700 malicious package versions have been published to the npm registry. When the activity was flagged on September 15th, approximately 50 malicious package versions had been published, highlighting the speed of this malware’s self-propagation.
The worm functions by searching for other packages maintained by a compromised npm developer account, then creating a new version of each package with its malicious code, a JavaScript file named bundle.js, injected. This file has a postinstall script that executes when an unsuspecting user downloads the compromised package. This allows the worm to spread to new developers and their packages. Shai-hulud steals developer secrets, primarily including npm, GitHub, AWS, and GCP tokens. The stolen tokens and data are exfiltrated to newly created GitHub repositories named "Shai-Hulud" or a new branch named "shai-hulud." The malware also attempts to make private GitHub repositories public. The initial compromise is not yet known, but its techniques are similar to the Nx compromise from late August, with both campaigns targeting popular open-source packages and leveraging stolen GitHub accounts for exfiltrated data.
Security Officer Comments:
The Shai-hulud worm represents a significant incident in the open-source software supply chain due to the speed (essentially automatically) at which it can self-replicate. This makes the attack surface incredibly wide and difficult to contain. Even security vendors were affected. For example, the Shai-hulud worm infected multiple npm packages maintained by CrowdStrike. The fact that the worm steals credentials and leads to exposed proprietary code, essentially gaining the "keys to the kingdom", makes this far more impactful than previous, less sophisticated attacks like SoBig, WannaCry and NotPetya that spread by targeting remotely exploitable vulnerabilities in software. The deployment of TruffleHog, an open-source tool that can detect more than 800 different types of secrets, following the worm’s installation further reinforces the malware’s sophisticated nature. Open-source platforms like npm are promising targets for spreading malware infection at the speed of continuous integration/continuous delivery (CI/CD).
Suggested Corrections:
IOCs are available here.
Recommendations from ReversingLabs:
To check if your organization is infected or if your cloud accounts were compromised, review your public GitHub account for suspicious activities like a sudden appearance of repositories you did not publish. Another tell-tale: If any of your repositories suddenly change visibility from private to public.
Look at your user account activity on your profile page, using these steps:
You can also check package versions for npm packages you are maintaining using RL’s free Spectra Assure Community website. The RL threat research team is diligently reviewing all published npm packages and applying the analyst-vetted malware label to confirm that the package has been infected.
Link(s):
https://www.reversinglabs.com/blog/shai-hulud-worm-npm
On September 15, ReversingLabs researchers discovered the Shai-hulud worm on the npm open-source registry, a self-replicating piece of malware that compromises npm accounts. This worm spreads by injecting its malicious code into legitimate public and private npm packages maintained by the compromised developer accounts. It has been found in hundreds of npm packages, including popular ones with millions of combined weekly downloads like ngx-bootstrap, ng2-file-upload, and @ctrl/tinycolor. As of this morning, over 40 developer accounts have been compromised and over 700 malicious package versions have been published to the npm registry. When the activity was flagged on September 15th, approximately 50 malicious package versions had been published, highlighting the speed of this malware’s self-propagation.
The worm functions by searching for other packages maintained by a compromised npm developer account, then creating a new version of each package with its malicious code, a JavaScript file named bundle.js, injected. This file has a postinstall script that executes when an unsuspecting user downloads the compromised package. This allows the worm to spread to new developers and their packages. Shai-hulud steals developer secrets, primarily including npm, GitHub, AWS, and GCP tokens. The stolen tokens and data are exfiltrated to newly created GitHub repositories named "Shai-Hulud" or a new branch named "shai-hulud." The malware also attempts to make private GitHub repositories public. The initial compromise is not yet known, but its techniques are similar to the Nx compromise from late August, with both campaigns targeting popular open-source packages and leveraging stolen GitHub accounts for exfiltrated data.
Security Officer Comments:
The Shai-hulud worm represents a significant incident in the open-source software supply chain due to the speed (essentially automatically) at which it can self-replicate. This makes the attack surface incredibly wide and difficult to contain. Even security vendors were affected. For example, the Shai-hulud worm infected multiple npm packages maintained by CrowdStrike. The fact that the worm steals credentials and leads to exposed proprietary code, essentially gaining the "keys to the kingdom", makes this far more impactful than previous, less sophisticated attacks like SoBig, WannaCry and NotPetya that spread by targeting remotely exploitable vulnerabilities in software. The deployment of TruffleHog, an open-source tool that can detect more than 800 different types of secrets, following the worm’s installation further reinforces the malware’s sophisticated nature. Open-source platforms like npm are promising targets for spreading malware infection at the speed of continuous integration/continuous delivery (CI/CD).
Suggested Corrections:
IOCs are available here.
Recommendations from ReversingLabs:
To check if your organization is infected or if your cloud accounts were compromised, review your public GitHub account for suspicious activities like a sudden appearance of repositories you did not publish. Another tell-tale: If any of your repositories suddenly change visibility from private to public.
Look at your user account activity on your profile page, using these steps:
- Look for new repositories that have the following description: Shai-Hulud Migration.
- Look for newly created branches that are named: shai-hulud.
You can also check package versions for npm packages you are maintaining using RL’s free Spectra Assure Community website. The RL threat research team is diligently reviewing all published npm packages and applying the analyst-vetted malware label to confirm that the package has been infected.
Link(s):
https://www.reversinglabs.com/blog/shai-hulud-worm-npm