What is Shai-Hulud and how did it infect NPM packages?

Shai-Hulud is a self-replicating worm that infected at least 187 software packages on the JavaScript repository NPM. It spreads by modifying popular packages and creating new versions that include its code.

What did Shai-Hulud do when it infected a package?

Shai-Hulud stole credentials from developers, specifically looking for authentication tokens from programmer destinations like GitHub and NPM, as well as SSH and API keys.

What is NPM and why is it an attractive target for attackers?

NPM (Node Package Manager) is a central hub for JavaScript development, providing the latest updates to widely-used JavaScript components. It acts as a trusted source of code libraries, making it an attractive target for attackers looking to compromise developer credentials.

Shai-Hulud Worm Infects NPM Packages, Steals Credentials

Q: How did the malware in the 'nx' package behave differently?

Instead of sending stolen credentials to a central server controlled by the attackers, the malicious nx code created a new public repository in the victim's GitHub account and published the stolen data there for all to see.

Q: How does Shai-Hulud self-propagate?

Shai-Hulud uses the open-source tool TruffleHog to search for exposed credentials and access tokens on the developer's machine, then attempts to create new GitHub actions and publish any stolen secrets.

A self-replicating worm named Shai-Hulud has infected at least 187 software packages on the JavaScript repository NPM, stealing credentials from developers and publishing them on GitHub.

A self-replicating worm has infected at least 187 software packages on the JavaScript repository NPM, stealing credentials from developers and publishing them on GitHub. The malware, dubbed Shai-Hulud, spreads by modifying popular packages and creating new versions that include its code.

What Happened

The Shai-Hulud worm emerged just days after a phishing campaign spoofed NPM and asked developers to update their multi-factor authentication login options. This attack led to malware being inserted into at least two-dozen NPM code packages, but the outbreak was quickly contained and focused on siphoning cryptocurrency payments.

In late August, another compromise of an NPM developer resulted in malware being added to "nx," an open-source code development toolkit with as many as six million weekly downloads. The attackers introduced code that scoured the user's device for authentication tokens from programmer destinations like GitHub and NPM, as well as SSH and API keys.

However, instead of sending those stolen credentials to a central server controlled by the attackers, the malicious nx code created a new public repository in the victim's GitHub account and published the stolen data there for all to see. This attack did not self-propagate like a worm, but Shai-Hulud does, bundling reconnaissance tools to assist in its spread.

Background and Context

The NPM (Node Package Manager) is a central hub for JavaScript development, providing the latest updates to widely-used JavaScript components. The repository acts as a trusted source of code libraries, making it an attractive target for attackers looking to compromise developer credentials.

Charlie Eriksen, a researcher for the Belgian security firm Aikido, explained that when a developer installs a compromised package, the malware will look for a npm token in the environment. If it finds one, it will modify the 20 most popular packages that the npm token has access to, copying itself into the package and publishing a new version.

This creates a cascading effect where an infected package leads to compromised maintainer credentials, which in turn infects all other packages maintained by that user. The Shai-Hulud worm uses the open-source tool TruffleHog to search for exposed credentials and access tokens on the developer's machine, then attempts to create new GitHub actions and publish any stolen secrets.

Why It Matters to the Industry

The Shai-Hulud worm poses a significant threat to developers and platform operators in the adult industry. With the ability to steal credentials and publish them on GitHub, attackers can gain access to sensitive information and compromise entire systems.

The malware's use of reconnaissance tools like TruffleHog also makes it difficult for developers to detect and contain the spread of Shai-Hulud. This highlights the need for robust security measures and regular updates to ensure that code libraries are secure and up-to-date.

Nicholas Weaver, a researcher with the International Computer Science Institute, warned that NPM (and all similar package repositories) need to immediately switch to a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method. This would effectively throttle attacks like Shai-Hulud before they can spread.

What Comes Next

The Shai-Hulud worm is still propagating, although its spread seems to have waned in recent hours. Charlie Eriksen warned that the attack could restart at any time, especially if a super-spreader attack occurs.

NPM has taken steps to contain the outbreak, but the incident highlights the need for developers and platform operators to be vigilant about security threats. Regular updates, secure code libraries, and robust security measures are essential in preventing attacks like Shai-Hulud from spreading.

Key Facts

The Shai-Hulud worm has infected at least 187 software packages on NPM.
The malware steals credentials from developers and publishes them on GitHub.
Shai-Hulud spreads by modifying popular packages and creating new versions that include its code.
The worm uses the open-source tool TruffleHog to search for exposed credentials and access tokens.
Nicholas Weaver recommends switching to a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method.