Hundreds of trojanized versions of well-known packages such as Zapier, ENS Domains, PostHog, and Postman have been planted in the npm registry in a new Shai-Hulud supply-chain campaign.
The malicious packages have been added to NPM (Node Package Manager) over the weekend to steal developer and continuous integration and continuous delivery (CI/CD) secrets. The data is automatically posted on GitHub in encoded form.
At publishing time, GitHub returned 27,600 results corresponding to entries related to the recent attack.
GitHub repositories with secrets stolen in the new Shai-Hulud campaign
source: BleepingComputer
When the Shai-Hulud malware first appeared in the npm space in mid-September, and it compromised 187 packages with a self-propagating payload that used the TruffleHog tool to steal developer secrets.
The threat actor automatically downloaded legitimate packages, modified the package.json file to inject a malicious script, and then published them on npm using compromised maintainer accounts.
When Charlie Eriksen, malware researcher at developer-focused security platform Aikido Security, discovered the new campaign earlier today, there were 105 trojanized packages with Shai-Hulud indicators. Since then, the number grew to 492, some of them with multiple versions.
Later, the researcher warned that the secrets stolen in the supply-chain attack were leaked on GitHub.
However, the campaign has grown exponentially to more than 27,000 malicious packages. Threat researchers at Wiz cloud security platform discovered around 350 unique maintainer accounts used in the campaign, noting that " 1,000 new repositories are being added consistently every 30 minutes in the last couple of hours."
... continue reading