The 'Shai-Hulud' npm Supply Chain Attack Rumbles On

Back
Pandya, van der Zee, and Brown (Socket)
Pandya, van der Zee, and Brown (Socket)
Published injavascriptweekly
5 min read
This is an AI-generated summary.Read the full article for details.
The 'Shai-Hulud' npm Supply Chain Attack Rumbles On

The "Shai-Hulud" npm supply chain attack has escalated, now compromising nearly 500 packages, including several CrowdStrike npm packages. Malicious updates introduce a bundle.js script that:

  • Downloads and executes TruffleHog, a legitimate secret scanner.
  • Searches host systems for tokens and cloud credentials.
  • Validates discovered developer and CI credentials.
  • Creates unauthorized GitHub Actions workflows within repositories.
  • Exfiltrates sensitive data to a hardcoded webhook endpoint.

The npm registry has removed the affected packages, and the attacker has branded the campaign with a GitHub Actions workflow file named shai-hulud.yaml, referencing the sandworms from Dune.

Read the full article