Security researchers have identified at least 187 npm packages compromised in an ongoing supply chain attack, with a malicious self-propagating payload to infect other packages.
The coordinated worm-style campaign dubbed 'Shai-Hulud' started yesterday with the compromise of the @ctrl/tinycolor npm package, which receives over 2 million weekly downloads.
Since then, the campaign has expanded significantly and now includes packages published under CrowdStrike's npm namespace.
From tinycolor to CrowdStrike
Yesterday, Daniel Pereira, a senior backend software engineer, alerted the community to a large-scale software supply chain attack affecting the world's largest JavaScript registry, npmjs.com.
"There is a [sic] malware spreading live in npm as you read this," wrote the engineer, cautioning everyone to refrain from installing the latest versions of the @ctrl/tinycolor project.
Pereira alerting everyone to ongoing npm supply chain attack
Pereira had been trying to get GitHub's attention in the last 24 hours through more discreet channels to discuss the ongoing attack as "a lot of repos were targeted," and disclosing the attack publicly could put people at risk.
"But contacting GitHub is too hard. For instance, secrets are being exposed in repos. This is serious," wrote the engineer.
Software supply chain security firm Socket began investigating the compromise and identified at least 40 packages that were compromised in this campaign. Today, both Socket and Aikido researchers have identified additional packages, bringing the count up to at least 187.
... continue reading