Malicious Worm Code Found in Many NPM Packages
Executive Summary
Beazley Security Labs is monitoring a rapidly evolving supply-chain attack in the NPM (Node.js) ecosystem, known as the Shai-Hulud campaign. This attack uses a worm-like malicious payload embedded in compromised NPM packages. Once installed, the payload attempts to harvest secrets such as GitHub and NPM access tokens, as well as cloud credentials for Cloud providers such as AWS, Azure, and Google cloud platform. Once access tokens have been harvested, the worm then uses them to republish malicious versions of any packages the compromised tokens control. It also injects GitHub Actions workflows to enable ongoing data exfiltration and persistence, making this a self-propagating NPM worm that is continuously expanding it is reach and the ability to exfiltrate credentials from a broader set of victims.
Given the ubiquity of NPM across modern development environments, this attack poses a large risk to the software supply chain. So far, we’ve seen hundreds of packages impacted to continue the spread of the worm, including packaged maintained by organizations such as CrowdStrike. Organizations should not only audit dependencies and update to known-good versions but also use endpoint visibility tooling on developer workstations to look for signs of execution and outbound communication to known exfiltration systems. For more details, please review the Indicators of Compromise (IOC) section of this advisory. In addition, teams should actively monitor GitHub for the creation of suspicious repositories or CI/CD workflows, which may indicate worm-driven propagation or persistence attempts in their environments.
Beazley Security expects this worm to continue propagating, although at a slower rate as the cybersecurity community begins to create detections and EDR vendors add protections to their product suites. Beazley Security MDR clients have already been notified if any suspicious activity has been identified in their environments.
Affected Systems or Products
Mitigations / Workarounds
Given the propagation of this attack is ongoing, and a compromise will result in potentially more vulnerable versions of libraries. It’s advised to limit NPM updates overall until we see a reduction of compromised libraries. And to limit required updates to only NPM packages with pinned versions of known good packages.
It’s also critical to maintain access to your NPM tokens as failure to do so can result in even more malicious packages being published. Rotating and monitoring your NPM credentials and monitoring developers with publishing credentials to make sure that your packages do not include these payloads.
If developers have updated their NPM packages recently or believe that they may have been compromised, delete and purge existing NPM packages. rm -rf node-modules && npm cache clean --force
Indicators of Compromise
If a user was compromised and their GitHub credentials were accessed, we observe a public repository named “Shai-Hulud” that contains a dump of the collected credentials and secrets.
New Github Actions workflows that push configured secrets to the following webhook.site webhook:
hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7
This does appear to be being blocked by the webhook.site service for excessive use, however it can still be validated in the logs of a GitHub action process.
The Bundle.js that is published maliciously has changed throughout the course of this attack. Currently the following SHA-256 Bundle.js hashes are known to be malicious.
b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210cde0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d646faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f094b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c383a650ce44b2a9854802a7fb4c202877815274c129af49e6c2d1d5d5d55c501e
Technical Details
Introduction
The Shai-Hulud campaign is a multi-stage, self-propagating attack that combines malicious package publication, automated credential theft, and rapid worm-like propagation throughout the NPM ecosystem. It begins when a compromised package is installed, often in a developer workstation or CI/CD pipeline. The malicious version includes an obfuscated post-install script or bundled payload that executes automatically during installation. This post-install script uses legitimate open-source tooling such as trufflehog to search for secrets across its environment, including NPM tokens, GitHub access tokens, cloud provider keys, and other developer-centric credentials.
If the malicious payload is executed on a developer workstation, it can access the developer’s local NPM configuration and any cached credentials, allowing attackers to hijack and propagate to every package the developer maintains. When run inside CI/CD environments, the worm may have access to temporary publish tokens, secrets injected into the pipeline, and even cloud IAM roles via metadata endpoints.
Execution & Credential Harvesting
Once executed, the malicious payload executes a bundled version of TruffleHog, an open-source secret scanning tool. This tool recursively scans the environment for sensitive data, including NPM publish tokens, GitHub personal access tokens, cloud provider credentials, SSH keys, and other secrets. The malware validates discovered credentials using their respective APIs to confirm that they are active and have appropriate permissions. This validation step ensures that only usable secrets are exfiltrated and used for propagation, increasing the efficiency and success rate of follow-on exploitation.
Credentials gathered by the malicious packages are automatically
Automated Propagation
When valid tokens are discovered, the malware automatically republishes malicious versions of any packages associated with the compromised account, leading to rapid and indiscriminate spread across the NPM ecosystem. In many cases, private repositories have been converted to public in order to aid further in propagation.
Exfiltration & Attempted Persistence
In addition to republishing malicious packages, the malicious payload attempts to automatically establish persistence by creating a new GitHub repository named `Shai-Hulud` and create a malicious GitHub Actions workflow using a YAML configuration file titled `shai-hulud-workflow.yml`.
How Beazley Security is Responding
Beazley Security has hunted for the IOCs described in this advisory across our MXDR and MDR client base to detect potential attempts to exfiltrate credentials from developer systems. We have notified any affected organizations of our findings.
Beazley Security Labs will continue to monitor the situation and will provide updates to this advisory as they arise.
Sources
Aware of an incident impacting your industry? Let us know: