Supply chain, DevOps

New Shai-Hulud supply chain campaign exposes over 27K GitHub repositories

The GitHub logo is displayed on a smartphone screen

More than 27,000 npm repositories on GitHub, including widely used packages from ENS Domains, PostHog, Zapier, and Postman, have been impacted by the second wave of Shai-Hulud malware attacks, reports The Hacker News.

Intrusions involved the inclusion of a new preinstall script in the package.json file that enabled covert Bun runtime installation or location, as well as illicit script execution, before the registration of the compromised machine as the "SHA1HULUD" self-hosted runner and pilfering all GitHub Actions secrets, according to a Wiz report.

Another analysis from Helixguard noted that SHA1HULUD then executes TruffleHog to facilitate the theft of npm tokens, and Azure, Google Cloud, and AWS credentials, as well as environment variables. Such a campaign was regarded by Koi Security and Palo Alto Networks Unit 42 researchers to be significantly more aggressive than the initial Shai-Hulud attacks in September.

"If Shai-Hulud 2.0 fails to exfiltrate credentials, it executes a fail-safe that attempts to irrevocably destroy the victim's entire home directory, escalating the attack from simple espionage into a guaranteed, highly disruptive denial-of-service event," said Unit 42's Justin Moore.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds