CISA: Extensive supply chain compromise necessitates immediate dependency checks

Organizations' security teams have been urged by the Cybersecurity and Infrastructure Security Agency to improve software monitoring following the widespread Shai-Hulud npm supply chain intrusion that was noted by StepSecurity to have impacted over 500 software packages with self-replicating malware, according to Cybersecurity Dive.

All software using the npm package ecosystem should be subjected to dependency reviews, while cached versions of the impacted dependencies should be thoroughly examined in light of the attack, said CISA in a new alert.

CISA also called on security teams to not only conduct developer account credential rotation but also implement phishing-resistant multi-factor authentication across such accounts.

Such an advisory comes after more than 500 npm packages affected by the intrusion were removed by GitHub, which also moved to prohibit newly uploaded packages with Shai-Hulud indicators of compromise. Malicious code that enabled the supply chain attack was later assessed by Palo Alto Networks researchers to have been developed using a large language model.