Koi Security Warns of Massive Shai-Hulud Malware Campaign Targeting npm Packages
Koi Security has revealed a significant security breach, dubbed the Shai-Hulud malware campaign, affecting hundreds of npm packages. The campaign, distinct from a September incident, has compromised popular libraries like @ctrl/tinycolor and packages maintained by security firm CrowdStrike.
The malware, a worm, spreads autonomously from package to package. It injects a script that harvests credentials and ensures persistence. Targets include npm tokens, GitHub credentials, and cloud access keys. The campaign uses TruffleHog to scan for secrets and writes a hidden GitHub Actions workflow for long-term access.
Malicious versions of affected packages, including @ctrl/tinycolor, were published with a large obfuscated script that executes during installation. StepSecurity has published indicators of compromise and a technical breakdown of the malware's spread and response methods. Koi Security is updating its blog post with a list of compromised npm packages.
The Shai-Hulud campaign is the largest and most dangerous npm supply-chain compromise to date. It has impacted numerous packages and maintainers, including security firms. The malware's autonomous spread and credential harvesting pose significant threats. Security teams are advised to monitor for indicators of compromise and update their systems with the latest information.
Read also:
- China's Foothold in Europe
- Jaguar Land Rover Secures £3.5B Loan to Resume Production After Cyberattack
- Advancement in Biometric Acceptance Paves Way for Challenges in Countering AI-Driven Digital Fraud
- Unidentified cybercriminals suspected in mobile banking fraud in Kenya, as insiders potentially implicated in the scheme
