—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Supply Chain Attack Targeting npm Ecosystem (Shai-Hulud Worm) 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: High

Description

It has been observed that an active and widespread software supply chain attack is targeting the Node Package Manager (npm) ecosystem. The npm ecosystem comprises the complete network of software packages, developers, tools, and services that support the Node.js and JavaScript development community, centered around the npm Registry and its official command-line interface (CLI) tool, npmjs.com. As part of this campaign, a self-replicating worm-publicly known as ‘Shai-Hulud’-has compromised more than 500 software packages. This attack has the potential to impact start-ups, IT/ITES companies, fintech platforms, and e-Governance applications that rely on npm-based software, resulting in exposure of credentials, unauthorized code execution, and further supply chain compromise.

This campaign combines supply chain compromise with automated propagation, creating cascading impact at scale. It began with credential-harvesting phishing emails spoofing npm that prompted developers to ‘update’ MFA settings. After initial access, the actor deployed malware to harvest credentials and a worm-like payload that triggered a multi-stage spread across packages.

In this campaign, malicious package versions contain a worm that executes a post-installation (‘postinstall’) script. The malware scans the environment for sensitive credentials, including:

.npmrc files (for npm tokens)

Environment variables and configuration files specifically targeting GitHub Personal Access Tokens (PATs) and API keys for cloud services like:

Amazon Web Services (AWS)

Google Cloud Platform (GCP)

Microsoft Azure

The malware used in this campaign performs the following actions:

Exfiltrates the harvested credentials to an endpoint controlled by the actor.

Uploads the credentials to a public repository named “Shai-Hulud” via the GitHub/user/repos API.

Authenticates to the npm registry using compromised developer credentials and injects malicious code into other packages.

Publishes tainted versions automatically, enabling rapid, self-propagating spread without direct actor intervention.

Attempts to establish persistence by creating a malicious GitHub Actions workflow file.

Recommendations

Conduct a dependency review of all software leveraging the npm package ecosystem.

 

Check package-lock.json or yarn.lock files to identify affected packages, including nested dependencies.

 

Search for cached versions of affected dependencies in artifact repositories and dependency management tools.

 

Rotate all developer credentials.

 

Mandate phishing-resistant multifactor authentication (MFA) on all developer accounts, especially for critical platforms like GitHub and npm.

 

Harden GitHub security by removing unnecessary GitHub Apps and OAuth applications, and auditing repository webhooks and secrets.

 

Enable branch protection rules, GitHub Secret Scanning alerts, and Dependabot security updates.

 

Monitor for anomalous network behavior and firewall logs for suspicious domains.

 

Block outbound connections to webhook.site domains.

 

Inspect organizational GitHub accounts for signs of compromise such as unauthorized repositories named ‘Shai-Hulud,’ suspicious commits, or the presence of malicious workflow files (e.g., .github/workflows/shai-hulud-workflow.yml).

 

Review all repositories for unexpected branches named ‘shai-hulud’ that may have been created without developer authorization.

 

Note that npm and GitHub have removed malicious versions and announced upcoming mandatory 2FA and trusted publishing. Align internal practices with these ecosystem changes.

References

 

https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/

https://unit42.paloaltonetworks.com/npm-supply-chain-attack/

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmjVVRYACgkQ3jCgcSdc

ys/9sQ/+NCPRrLAIol5QR7jY0WL2Q59UprMTU/9IJa8NK5ktF/AF+pqTDe7+yr/i

VnY0jEoHE7leaTDJFaPtT+aoq8o+prLAk2sUFzVy1TDFvadCMIh6rxCsg+01Gn2W

VZjCemYuElv9oSIP7TUOPMoWRLHLqK2AbxM6O3P6tRSTIlqEl54PopOuftil2dxX

kk0q54ZK5K504WrTt0oawj8xsyzJT20Kfor7m4m90+Q4qv0XbXZZ1hGZrAPAFzFu

zuObFMFtwhwQaXZlDsC9o4RJGLyzmAl+FJAn0RvS4nqzCttMHMUtU49ZgfxPm9bR

uU2kvW9t8DLsumA9yl9Rx0GZpGNIn05akIBpb+rn92qGHamj2Wq2t2BGYIxX8IUc

CfatR/GP25FeZF6l+bwHv4WZgepdwzEV1YK1xan+8Embfof0qjRVSGUbt4cdL7yi

/ZtxUkGB2dW5sRbtpqYYkb5Mv9/GasVg8OtycpRIC/G4HaWqPwdBE05tObwd1DLH

vqHKOk8kLGaZM0ExYcC+DdDlyLa3qkP9IKyAQmReMImtKNfBABJqINvqnlmR+8eK

+6qy4UvPBdLKrJpvyE/B8pDfBIyK+sEy9jRlSkPIvTyk0s7fN7K7UZXWD6SUL2Tq

6BtNE3HoTZ7Rgns1SS7S2Jrzo/JYU+MMcc8HsFlN7s7QOJJLzsc=

=Uzr+

—–END PGP SIGNATURE—–