Over 300 npm packages attacked by self-replicating worm – Serious security warning
Over 300 npm packages, including tinycolor and CrowdStrike packages, have been infected by the self-replicating worm Shai-Hulud. Learn how it works, which packages are affected, and what you can do to protect your projects.
The programming community was shocked when it was discovered that the tinycolor package – a hugely popular color manipulation library on npm (over 2 million downloads per week) – had been hacked, taking down over 40 other packages. However, the incident did not stop there: researchers at Socket have just announced that a self-propagating worm has infected over 300 npm packages.
How it spreads
The attackers inserted a malicious function called NpmModule.updatePackage into the compromised libraries. This function automates the entire infection process:
- Download the tarball of the target package.
- Edit the package.json file .
- Inject the malicious script bundle.js .
- Repackage it, then publish it to npm with the stolen token.
In addition, this worm also has the behavior of searching for environment variables such as NPM_TOKEN to get login information, from there continuing to spread to other packages maintained by the same account.
CrowdStrike was also affected.
According to Socket, CrowdStrike's npm account was also compromised, infecting many of its packages with malicious code. CrowdStrike has since removed the affected packages and changed all login credentials.
The campaign has been dubbed Shai-Hulud – inspired by the 'giant sandworm' from the science fiction novel Dune . The name comes from workflow files named shai-hulud.yaml in the malware.
The attack payload is considered quite sophisticated. It uses TruffleHog – a legitimate secret scanning tool – to find and validate credentials, before sending them to the attacker's server via webhook.
Some prominent infected packages include:
-
@ctrl/tinycolor
-
ngx-toastr
-
@crowdstrike/glide-core
-
angulartics2
-
eslint-config-crowdstrike
-
@nativescript-community/ui-collectionview
If affected, users need to Remove the malicious package immediately:
npm uninstall
Fix the secure version until a patch is available:
npm install
In addition, it is necessary to change all login information on the system because this worm is capable of stealing sensitive data, including: NPM tokens, GitHub Personal Access Tokens & Actions Secrets, SSH keys, Cloud login information (AWS, Google Cloud, Azure), API keys, database connection strings, secrets stored in AWS Secrets Manager and similar services.
Discover more
Share by
Marvin FryYou should read it
- How many types of malware do you know and how to prevent them?
- Can a VPN Fight Malware?
- Downloaded malware? Try these fixes before factory reset!
- Online anti-malware tool
- What is Goldoson Malware? How can you protect yourself?
- The Quiet Details That Make a Sports Betting Platform Feel Reliable
- Instructions on creating toy set images with ChatGPT AI
- How are AI agents changing the journalism industry?
- Everyday Activities That Are Slowly Destroying Your Kitchen
- The Moon is Getting Farther From Earth: What Will Happen in the Future?
- Why do so many people never use a Samsung phone without Good Lock?