GitLab's Vulnerability Research team has identified an active, large-scale supply chain attack involving a destructive malware variant spreading through the npm ecosystem. Our internal monitoring system has uncovered multiple infected packages containing what appears to be an evolved version of the "Shai-Hulud" malware.
Early analysis shows worm-like propagation behavior that automatically infects additional packages maintained by impacted developers. Most critically, we've discovered the malware contains a "dead man's switch" mechanism that threatens to destroy user data if its propagation and exfiltration channels are severed.
We verified that GitLab was not using any of the malicious packages and are sharing our findings to help the broader security community respond effectively.
Inside the attack
Our internal monitoring system, which scans open-source package registries for malicious packages, has identified multiple npm packages infected with sophisticated malware that:
Harvests credentials from GitHub, npm, AWS, GCP, and Azure
Exfiltrates stolen data to attacker-controlled GitHub repositories
Propagates by automatically infecting other packages owned by victims
Contains a destructive payload that triggers if the malware loses access to its infrastructure
While we've confirmed several infected packages, the worm-like propagation mechanism means many more packages are likely compromised. The investigation is ongoing as we work to understand the full scope of this campaign.
... continue reading