Shai-Hulud keeps burrowing: 314 npm packages infected after another account compromise
SafeDep said the attacker used a stolen token to publish 630 malicious versions across 317 packages, stealing credentials and spreading malware downstream.
- On Tuesday, an npm account compromise infected 314 packages with malware in a 22-minute burst of activity. The breach affected popular libraries including size-sensor and those scoped to @antv.
- Researchers dubbed this attack 'Mini Shai-Hulud,' noting it follows a wider campaign targeting open source projects. The malware leverages code recently leaked on GitHub by the TeamPCP threat group.
- The malware scans developer machines for GitHub and npm credentials, along with cloud platform secrets. Stolen data is exfiltrated via the Session P2P network to mask activity from detection.
- Cybersecurity firms advise developers who installed compromised packages to rotate all credentials immediately and check for unauthorized GitHub repositories. Removing malicious systemd services on Linux is also recommended.
- While npm remains the primary target, other repositories like PyPI and Composer face similar risks from ongoing Shai-Hulud campaigns. Despite past security plans, these registry attacks continue threatening software ecosystems globally.
16 Articles
16 Articles
Hackers have compromised dozens of popular open source packages in an ongoing supply chain attack
The attacks are part of a wider campaign known as Mini Shai-Hulud, which has already compromised several open source projects and, in turn, developers and companies that use them.
Mini Shai-Hulud returns, compromising hundreds of npm packages
A self-replicating malware campaign known as Mini Shai-Hulud has resurfaced, this time embedding itself across hundreds of npm packages. The threat actor behind it, identified as TeamPCP, has been linked to earlier waves of the same campaign, with this latest variant more capable than previous waves. Researchers analyzing the payload found a worm that spreads autonomously, installs persistent backdoors at the operating system level, and is speci…
🚨 The npm attack put 16 million downloads at risk. 🎯 The malware hides in IDEs using AI assistants, reinfecting them with each startup. 🧐 The stolen data is exported encrypted via the GitHub API, making it undetectable. ⚡ Critical situation: The supply chain attack is only...
After supply chain attacks by the Worm Mini Shai Hulud, NPM enforces a platform-wide token reset for all automated workflows. The software repository NPM (Node Package Manager) has taken an extraordinary security measure and forced a platform-wide reset of security tokens. The VW subsidiary GitHub, owner of NPM, reacts to an aggressive wave of attacks on the software supply chain (Supply Chain Attacks). A sophisticated, self-replicating worm has…
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
