The programming community was shocked when it was discovered that the tinycolor package – a hugely popular color manipulation library on npm (over 2 million downloads per week) – had been hacked, taking down over 40 other packages. However, the incident did not stop there: researchers at Socket have just announced that a self-propagating worm has infected over 300 npm packages.
How it spreads
The attackers inserted a malicious function called NpmModule.updatePackage into the compromised libraries. This function automates the entire infection process:
- Download the tarball of the target package.
- Edit the package.json file .
- Inject the malicious script bundle.js .
- Repackage it, then publish it to npm with the stolen token.
In addition, this worm also has the behavior of searching for environment variables such as NPM_TOKEN to get login information, from there continuing to spread to other packages maintained by the same account.
CrowdStrike was also affected.
According to Socket, CrowdStrike's npm account was also compromised, infecting many of its packages with malicious code. CrowdStrike has since removed the affected packages and changed all login credentials.
The campaign has been dubbed Shai-Hulud – inspired by the 'giant sandworm' from the science fiction novel Dune . The name comes from workflow files named shai-hulud.yaml in the malware.
The attack payload is considered quite sophisticated. It uses TruffleHog – a legitimate secret scanning tool – to find and validate credentials, before sending them to the attacker's server via webhook.
Some prominent infected packages include:
-
@ctrl/tinycolor
-
ngx-toastr
-
@crowdstrike/glide-core
-
angulartics2
-
eslint-config-crowdstrike
-
@nativescript-community/ui-collectionview
If affected, users need to Remove the malicious package immediately:
npm uninstall
Fix the secure version until a patch is available:
npm install
In addition, it is necessary to change all login information on the system because this worm is capable of stealing sensitive data, including: NPM tokens, GitHub Personal Access Tokens & Actions Secrets, SSH keys, Cloud login information (AWS, Google Cloud, Azure), API keys, database connection strings, secrets stored in AWS Secrets Manager and similar services.