A new variant of the notorious Shai-Hulud credentials-stealing worm is rapidly spreading through the npm registry and GitHub repositories. Developers relying on these platforms are urged to stay vigilant as the threat escalates. Researchers from Wiz Inc. reported early last week that during the initial phase of this campaign, approximately 1,000 new GitHub repositories containing stolen victim data were being created every 30 minutes. Meanwhile, JFrog has identified 181 compromised npm packages involved in this campaign.

Details of the New Shai-Hulud Variant

The latest version, dubbed Shai-Hulud 2.0 by Wiz researchers, executes malicious code during the preinstall phase of package installation. This significantly heightens the risk of exposure within build and runtime environments. The malware leverages hijacked maintainer accounts to publish trojanized versions of legitimate npm packages. Once installed, it exfiltrates sensitive developer and CI/CD secrets to GitHub repositories, while also injecting malicious payloads into all of the user’s npm packages.

Threat actors can utilize the stolen secrets to breach systems further and deploy additional malware. JFrog further notes that this variant employs randomized repository names for data exfiltration, making detection and cleanup more challenging. The payload now includes capabilities such as privilege escalation, DNS hijacking, and data deletion from compromised machines. Several popular packages from companies like Zapier, ENS Domains, PostHog, and Postman have been affected.

Impact and Notable Compromised Packages

Researchers at ReversingLabs highlighted that the compromised package list features significant ones like @asyncapi/specs, which has surpassed 100 million downloads over its lifetime and averages 1.4 million weekly downloads. This package is believed to be the initial infected component, or ‘patient-zero,’ in this wave of attacks.

The current campaign is expanding rapidly, with the second wave being larger and more aggressive. The new payload files, setup_bun.js and bun_environment.js, indicate increased sophistication. Johannes Ullrich of the SANS Institute emphasized that this re-emergence signals a persistent threat to the npm ecosystem. He urged security teams and CSOs to monitor dependencies closely and strengthen their CI/CD pipelines to prevent malicious code execution.

First detected in September, the original Shai-Hulud attack compromised dozens of npm libraries, including a popular color library with over 2 million weekly downloads. Wiz’s threat researcher, Merav Bar, described the initial wave as one of the most severe JavaScript supply chain attacks seen to date. The new wave is reportedly larger and faster, with over 25,000 attacker-created repositories involved so far.

Inspired by

• https://www.infoworld.com/article/4095604/new-shai-hulud-worm-spreading-through-npm-github-2.html

Sources

• wiz.io
• jfrog.com
• reversinglabs.com
• secure.software
• sans.org