CISA Warns of Shai-Hulud Self-Replicating Worm Compromised 500+ Packages in npm Registry
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
CISA has issued an urgent security Alert in response to a large-scale software supply chain attack<\/a> on npmjs.com, the world\u2019s largest JavaScript package registry.\u00a0<\/p>\n A self-replicating worm, dubbed Shai-Hulud, has infiltrated more than 500 npm packages and injected malicious code that aggressively spreads by abusing developer credentials and npm publish workflows.<\/p>\n After securing initial access presumably via a compromised maintainer account, Shai-Hulud<\/a> deploys a sophisticated payload that scans for sensitive credentials stored in environment variables and local configuration files.\u00a0<\/p>\n The malware targets GitHub Personal Access Tokens (PATs) and API keys for AWS, GCP, and Azure, exploiting common CI\/CD practices where tokens are inadvertently persisted.\u00a0<\/p>\n Once harvested, credentials are exfiltrated to an actor-controlled endpoint<\/a> and simultaneously uploaded to a public GitHub repository <\/a>named Shai-Hulud via the GitHub\/user\/repos API.<\/p>\n Shai-Hulud then uses an automated loop to authenticate to the npm registry with stolen tokens. Leveraging the npm CLI, it injects malicious JavaScript into the entry point file often index.js of other packages in the compromised developer\u2019s dependency tree.\u00a0<\/p>\n Following the injection, the worm executes\u2019 npm version patch && npm publish \u2013access public\u2019 to publish a trojanized version, thereby perpetuating its spread.\u00a0<\/p>\n The worm\u2019s self-replication mechanism exploits transitive dependencies: any project depending on one of the compromised packages can inadvertently become a new host.<\/p>\n CISA recommends<\/a> immediate action to detect and remediate this compromise:<\/p>\n Enhanced vigilance across the development pipeline is crucial to stem the worm\u2019s propagation and safeguard the integrity of the npm ecosystem.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post CISA Warns of Shai-Hulud Self-Replicating Worm Compromised 500+ Packages in npm Registry<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nSelf-Replicating npm Supply Chain Threat<\/strong><\/h2>\n
Mitigations<\/strong><\/h2>\n
\n