Full Report
Trojanized npm packages spread new variant that executes in pre-install phase, hitting thousands within days A self-propagating malware targeting node package managers (npm) is back for a second round, according to Wiz researchers who say that more than 25,000 developers had their secrets compromised within three days.…
Analysis Summary
# Tool/Technique: Shai-Hulud Worm Variant (2.0)
## Overview
A self-propagating, wormable malware variant targeting the Node Package Manager (npm) ecosystem. It spreads via trojanized npm packages and executes during the package pre-install phase to scan infected hosts for sensitive credentials and secrets, which it then exfiltrates by publishing them to the victim's own GitHub repositories.
## Technical Details
- Type: Malware (Wormable, Supply Chain)
- Platform: Target environments running Node.js/npm (Developers' machines, CI/CD pipelines)
- Capabilities: Package compromise, secret harvesting (AWS, GCP, Azure, GitHub credentials), self-propagation via compromised packages, exfiltration to user-owned GitHub repositories.
- First Seen: Attack campaign escalated around November 21 (for this variant, designated 2.0).
## MITRE ATT&CK Mapping
- T1195 - Supply Chain Compromise
- T1195.003 - Compromise Software Supply Chain: Compromise Software Supply Chain: Deploy Software to Victim Users
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.004 - Unix Shell
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (via GitHub pushes)
- TA0006 - Credential Access
- T1555 - Credentials from Web Browsers/Applications (implied by targeting stored secrets)
## Functionality
### Core Capabilities
- **Infection Vector:** Spreads through trojanized npm packages uploaded to the npm registry by compromised maintainer accounts.
- **Execution Timing:** Code executes specifically in the **pre-install phase** of the package installation process.
- **Secret Scanning:** Scans the infected host environment for stored credentials, including AWS, GCP, Azure, and GitHub tokens/secrets.
### Advanced Features
- **Wormable Behavior:** The malware appears to be self-propagating, capitalizing on the widespread use of the compromised packages across thousands of projects.
- **Evasion/Stealth:** Utilizes the dependency installation lifecycle (pre-install script) for execution, potentially bypassing detection focused solely on post-installation activity.
- **Exfiltration Mechanism:** Publishes the harvested secrets directly to the victim's *own* GitHub repositories, using the victim's infrastructure/credentials, which may aid in making the exfiltration appear legitimate initially.
## Indicators of Compromise
- File Hashes: Not provided in the text.
- File Names: Not provided in the text, but execution occurs via npm package scripts.
- Registry Keys: Not applicable/not provided.
- Network Indicators: The mechanism involves pushing data to the victim's existing GitHub repositories (defanged example: **api[.]github[.]com** for push operations).
- Behavioral Indicators:
* New, suspicious GitHub repository publications containing "Shai-Hulud" in the description.
* Suspicious commits referencing "hulud" in the victim's own repositories.
* Execution of code during the `preinstall` step of `npm install`.
## Associated Threat Actors
- Identity unknown; described as "separate criminals" potentially operating similar to the original September variant actors.
## Detection Methods
- Signature-based detection: Monitoring for known malicious package names or specific file signatures associated with the payloads.
- Behavioral detection: Monitoring filesystem and network activity during `npm install`, specifically looking for execution outside of expected package scripts or file system scans for configuration files.
- YARA rules: Not specified in the text, but could be developed based on specific strings or code structures found in the deployed malicious scripts.
## Mitigation Strategies
- **Immediate Action:** Clear the npm cache on affected systems.
- **Rollback:** Roll back dependencies to versions published *before* November 21.
- **Credential Rotation:** Immediately rotate all compromised credentials across AWS, GCP, Azure, and GitHub.
- **Hunting:** Manually hunt for signs of compromise (new repositories, suspicious commits/publications referencing "hulud").
- **Pipeline Hardening:** Harden development pipelines to minimize execution privileges during dependency installation.
- **Authentication Overhaul (npm ecosystem):** Adopt FIDO-based 2FA over TOTP, and ensure legacy classic tokens are disabled/revoked (npm is moving to disable these tokens).
## Related Tools/Techniques
- **Shai-Hulud (Initial Variant):** Similar infection chain, focusing on supply chain compromise via npm.
- **Dependency Confusion Attacks:** Another method used to poison software supply chains.
- **Cross-Domain Credential Theft:** General techniques used to harvest secrets from development environments.