Malware Campaigns Targeting Developers via npm and GitHub Repositories
A new wave of supply chain attacks has targeted developers through malicious npm packages and GitHub repositories, with attackers leveraging both automated worms and sophisticated social engineering. The npm registry was compromised by a self-replicating worm known as "Sha1-Hulud: The Second Coming," which infected over 800 packages and 27,000 GitHub repositories. The malware aimed to steal sensitive data such as API keys, cloud credentials, and authentication tokens, and it backdoored npm packages to execute malicious payloads during installation. Attackers also abused GitHub Actions workflows for command-and-control and data exfiltration, with a notable shift to using the Bun runtime for improved stealth and evasion of Node.js-focused defenses.
In a related attack vector, threat actors used fake job interviews to lure developers into cloning and running seemingly benign Next.js projects from private GitHub repositories. The malicious code was hidden in the next.config.js file, which executed on the developer's machine during project setup, bypassing traditional dependency-based detection. This "Living off the Land" technique enabled the theft of credentials, including those for LastPass and cryptocurrency wallets, by exploiting trusted development workflows. Both incidents highlight the growing risk of supply chain attacks targeting developers through trusted tools and social engineering tactics.
Related Entities
Malware
Sources
Related Stories
Shai-Hulud Worm and Related Malicious NPM Package Attacks Targeting Software Supply Chains
A large-scale supply chain attack has targeted the Node Package Manager (NPM) ecosystem, compromising hundreds of widely used JavaScript packages and threatening the security of software development pipelines globally. In mid-September, cybersecurity researchers identified a self-propagating malware dubbed "Shai-Hulud," which was distributed through trojanized NPM packages, including some with millions of weekly downloads and high-profile packages such as those from CrowdStrike. The attack leveraged a malicious "bundle.js" script that downloaded and executed TruffleHog, a legitimate credential scanner, to harvest developer and CI/CD tokens, cloud service credentials, and environment variables from compromised systems. The stolen credentials were exfiltrated via hard-coded webhooks and GitHub Actions workflows, enabling the attacker to further propagate the malware and gain unauthorized access to sensitive resources. The campaign affected both Windows and Linux systems, increasing its reach and impact across diverse development environments. Sysdig reported that the attack on September 15 involved approximately 200 compromised packages, including @ctrl/tinycolor, and was linked to an attacker who had previously targeted Nx packages in late August. The worm not only stole secrets but also published them publicly on GitHub and attempted to make victim repositories public, amplifying the risk of further compromise. Earlier in the month, other popular packages such as chalk, debug, and duck were also compromised following a successful spear phishing attack against a maintainer, with the attacker seeking to redirect cryptocurrency payments. NPM responded by removing the malicious package versions, but users were required to update or revert to secure versions to mitigate the risk. Sysdig provided same-day threat intelligence and detection capabilities to its customers, including open source Falco rules to identify and respond to the threat. The attack demonstrated the vulnerability of even the most trusted and widely used open source packages, highlighting the importance of continuous monitoring and rapid response in the software supply chain. Security researchers and vendors emphasized the need for organizations to scan their environments for known malicious packages, such as dist.fezbox.cjs, and to review logs for signs of credential exfiltration. The incident underscored the evolving tactics of threat actors targeting developer ecosystems, using advanced techniques to automate propagation and maximize impact. Organizations relying on NPM packages and CI/CD pipelines were urged to remain vigilant, update dependencies promptly, and leverage threat intelligence resources to defend against similar attacks. The Shai-Hulud campaign remains an evolving threat, with ongoing analysis and mitigation efforts by the security community. This incident serves as a stark reminder that popularity and trust in open source packages do not guarantee safety, and proactive security measures are essential to protect software supply chains from compromise.
5 months ago
npm Supply-Chain Attacks Steal Developer Tokens and Enable Cloud Compromise
Threat actors are using **malicious npm packages** to steal developer credentials and CI/CD secrets, enabling rapid escalation into cloud environments. Google reported that **UNC6426** leveraged keys stolen during the earlier compromise of the *nx* npm ecosystem to pivot from a stolen developer GitHub token into **AWS administrative access within 72 hours**, abusing **GitHub-to-AWS OpenID Connect (OIDC) trust** to create a new admin role. The actor then used that access to **exfiltrate data from AWS S3** and conduct **destructive actions** in production cloud environments; the initial *nx* compromise involved a GitHub Actions `pull_request_target` workflow abuse (“**Pwn Request**”) that enabled publishing trojanized packages containing a `postinstall` chain that executed the **QUIETVAULT** JavaScript credential stealer and uploaded stolen data to a public GitHub repo (`/s1ngularity-repository-1`). Separately, researchers reported new waves of the **PhantomRaven** npm supply-chain campaign distributing **88 additional malicious packages** (via ~50 disposable accounts) that target JavaScript developers by exfiltrating secrets from files like `.gitconfig` and `.npmrc`, environment variables, and CI/CD tokens (e.g., GitHub/GitLab/Jenkins/CircleCI). The campaign uses **slopsquatting** (LLM-suggested lookalike package names) and a stealth technique called **Remote Dynamic Dependencies (RDD)**, where `package.json` pulls a dependency from an external URL so the malicious payload is fetched at install time (`npm install`) and can evade static package inspection; researchers indicated many of these packages remained available in the npm registry at the time of reporting.
5 days agoShai-Hulud Malware Supply Chain Attack on NPM Packages Targeting Zapier and ENS Domains
A new variant of the Shai-Hulud malware, dubbed "Sha1-Hulud: The Second Coming," has compromised over 70 npm packages, including those associated with Zapier and ENS Domains. The attack involves malicious code that steals developer credentials and publicly exposes them by creating thousands of GitHub repositories labeled with the campaign's name. This incident represents a significant escalation in supply chain attacks within the JavaScript ecosystem, with the malware demonstrating advanced self-propagation capabilities and surpassing the impact of previous Shai-Hulud campaigns within hours of detection. Security researchers have urged immediate action for developers and organizations using npm packages, recommending checks for compromised package versions, auditing of GitHub accounts for unauthorized repositories, and remediation steps such as removing affected `node_modules` directories and clearing npm caches. The attack highlights the ongoing risks posed by supply chain threats in open-source ecosystems and the need for vigilant monitoring and rapid response to emerging malware campaigns.
3 months ago