GitHub will implement local publishing with mandatory 2FA, granular tokens that expire after seven days, and trusted publishing.

The post GitHub Boosting Security in Response to NPM Supply Chain Attacks  appeared first on SecurityWeek.

The packages were injected with malicious code to harvest secrets, dump them to a public repository, and make private repositories public.

The post Shai-Hulud Supply Chain Attack: Worm Used to Steal Secrets, 180+ NPM Packages Hit appeared first on SecurityWeek.

At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike, steals and publishes even more credentials every time an infected package is installed.

The novel malware strain is being dubbed Shai-Hulud — after the name for the giant sandworms in Frank Herbert’s Dune novel series — because it publishes any stolen credentials in a new public GitHub repository that includes the name “Shai-Hulud.”

“When a developer installs a compromised package, the malware will look for a npm token in the environment,” said Charlie Eriksen, a researcher for the Belgian security firm Aikido. “If it finds it, it will modify the 20 most popular packages that the npm token has access to, copying itself into the package, and publishing a new version.”

At the center of this developing maelstrom are code libraries available on NPM (short for “Node Package Manager”), which acts as a central hub for JavaScript development and provides the latest updates to widely-used JavaScript components.

The Shai-Hulud worm emerged just days after unknown attackers launched a broad phishing campaign that spoofed NPM and asked developers to “update” their multi-factor authentication login options. That attack led to malware being inserted into at least two-dozen NPM code packages, but the outbreak was quickly contained and was narrowly focused on siphoning cryptocurrency payments.

In late August, another compromise of an NPM developer resulted in malware being added to “nx,” an open-source code development toolkit with as many as six million weekly downloads. In the nx compromise, the attackers introduced code that scoured the user’s device for authentication tokens from programmer destinations like GitHub and NPM, as well as SSH and API keys. But instead of sending those stolen credentials to a central server controlled by the attackers, the malicious nx code created a new public repository in the victim’s GitHub account, and published the stolen data there for all the world to see and download.

Last month’s attack on nx did not self-propagate like a worm, but this Shai-Hulud malware does and bundles reconnaissance tools to assist in its spread. Namely, it uses the open-source tool TruffleHog to search for exposed credentials and access tokens on the developer’s machine. It then attempts to create new GitHub actions and publish any stolen secrets.

“Once the first person got compromised, there was no stopping it,” Aikido’s Eriksen told KrebsOnSecurity. He said the first NPM package compromised by this worm appears to have been altered on Sept. 14, around 17:58 UTC.

The security-focused code development platform socket.dev reports the Shai-Halud attack briefly compromised at least 25 NPM code packages managed by CrowdStrike. Socket.dev said the affected packages were quickly removed by the NPM registry.

In a written statement shared with KrebsOnSecurity, CrowdStrike said that after detecting several malicious packages in the public NPM registry, the company swiftly removed them and rotated its keys in public registries.

“These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected,” the statement reads, referring to the company’s widely-used endpoint threat detection service. “We are working with NPM and conducting a thorough investigation.”

A writeup on the attack from StepSecurity found that for cloud-specific operations, the malware enumerates AWS, Azure and Google Cloud Platform secrets. It also found the entire attack design assumes the victim is working in a Linux or macOS environment, and that it deliberately skips Windows systems.

StepSecurity said Shai-Hulud spreads by using stolen NPM authentication tokens, adding its code to the top 20 packages in the victim’s account.

“This creates a cascading effect where an infected package leads to compromised maintainer credentials, which in turn infects all other packages maintained by that user,” StepSecurity’s Ashish Kurmi wrote.

Eriksen said Shai-Hulud is still propagating, although its spread seems to have waned in recent hours.

“I still see package versions popping up once in a while, but no new packages have been compromised in the last ~6 hours,” Eriksen said. “But that could change now as the east coast starts working. I would think of this attack as a ‘living’ thing almost, like a virus. Because it can lay dormant for a while, and if just one person is suddenly infected by accident, they could restart the spread. Especially if there’s a super-spreader attack.”

For now, it appears that the web address the attackers were using to exfiltrate collected data was disabled due to rate limits, Eriksen said.

Nicholas Weaver is a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif. Weaver called the Shai-Hulud worm “a supply chain attack that conducts a supply chain attack.” Weaver said NPM (and all other similar package repositories) need to immediately switch to a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method.

“Anything less means attacks like this are going to continue and become far more common, but switching to a 2FA method would effectively throttle these attacks before they can spread,” Weaver said. “Allowing purely automated processes to update the published packages is now a proven recipe for disaster.”

Earlier this week, Aikido Security disclosed what is being described as the largest npm supply chain compromise to date. Attackers successfully injected malicious code into 18 popular npm packages, collectively accounting for more than 2.6 billion weekly downloads. The entire campaign began not with a technical exploit, but with a single, well-trained maintainer clicking on a convincingly crafted phishing email.

The scale of this incident should serve as a wake-up call for the industry. Even though the financial fallout has been labeled “minimal,” attackers were able to compromise packages at the very core of the JavaScript ecosystem. That reality should concern every developer, security leader, and policymaker.

We can’t afford to normalize these events as routine, low-stakes occurrences. Each successful package takeover exposes the fragility of our collective software infrastructure. The fact that defenders managed to contain this “leaking roof” in time should not reassure us — it should motivate us to act before the next one.

Anatomy of the compromise

The attack began with a familiar but effective tactic: account takeover. According to Aikido, attackers tricked the maintainer of the affected libraries using a phishing email impersonating npm support, requesting a two-factor authentication update. With those stolen credentials in hand, the attackers published malicious versions of popular packages — including chalk and debug — by modifying their index.js files.

The injected payload was designed to hijack cryptocurrency transactions. By monitoring browser APIs like fetch, XMLHttpRequest, and wallet interfaces such as window.ethereum, the malware could redirect funds to attacker-controlled addresses.

Fortunately, the malicious versions were identified within minutes and publicly disclosed within the hour. This rapid response helped prevent widespread damage. Still, millions of developers pulled compromised versions during that brief window — a reminder of how much trust we place in open source infrastructure and how quickly that trust can be exploited.

Adding to the picture, further research has revealed that additional npm packages were hijacked as part of this campaign, including duckdb, which alone sees nearly 150,000 downloads per week. These findings reinforce the breadth of the operation and highlight how difficult it is to measure the full scope of supply chain compromises in real time.

A playbook that’s here to stay

This compromise was not an isolated incident. Package takeovers have become a standard tactic for threat actors because they provide unmatched reach: compromise one popular project, and you instantly gain access to millions of downstream systems. 

We have seen this strategy become a key tool for advanced persistent threats (APTs), including groups like Lazarus most recently. Package takeovers allow them to infiltrate massive portions of the world’s developer population by targeting a single under-resourced project.

The npm ecosystem is not unique in this regard. Whether it’s PyPI, RubyGems, or Maven Central, package registries are critical distribution points in the modern software supply chain. They represent single points of failure that adversaries will continue to exploit.

The “it wasn’t that bad” narrative

Since disclosure, some industry commentary has downplayed the incident. Reports note that the attackers appear to have stolen just a handful of crypto assets: roughly 5 cents of ETH and $20 worth of a small memecoin.

But this framing is short-sighted. The true cost is not the stolen cryptocurrency; it’s the thousands of hours of engineering and security work required worldwide to clean up compromised environments, not to mention the contracts, compliance requirements, and audits that inevitably follow. 

What’s also striking is how quickly attackers are now able to act. In this case, malicious versions of npm packages were downloaded potentially millions of times within minutes. The same pattern has played out for years in vulnerability exploitation — from HeartBleed to Equifax — where the time between disclosure and exploitation has shrunk to nearly zero.

The “minimal impact” narrative risks lulling organizations into complacency. It encourages a mindset where each incident is dismissed as “low risk” until one day, it isn’t.

What needs to change

Focusing on what didn’t happen ignores the reality that attackers had the opportunity to hit far harder. This incident underscores several urgent priorities, including:

• Strengthen maintainer security: Package maintainers are the new frontline of cyberattacks. Protecting their accounts with phishing-resistant authentication, hardware keys, and stronger identity protections must become the norm, not the exception.
• Improve ecosystem-level safeguards: Registries must continue to invest in stronger safeguards, such as mandatory MFA, anomaly detection for unusual publishing activity, and proactive monitoring for malicious code patterns.
• Shift industry mindset: Organizations need to treat every compromise of a widely used package as a major security incident — even if the immediate payload looks trivial. A malicious package should trigger the same urgency as a zero-day exploit, because the potential blast radius is just as large.
• Invest in supply chain visibility: Software bills of materials (SBOMs) and automated dependency tracking are essential. Enterprises must be able to quickly identify whether they’re pulling compromised versions and take immediate action.

This npm compromise may go down as the “largest to-date,” but its significance has little to do with its size or the negligible cryptocurrency stolen. Its importance lies in what it reveals about the state of modern software security: our trust in open-source infrastructure is more fragile than we like to admit, and attackers know it.

If we keep measuring the significance of these breaches only by their immediate dollar impact, we’ve missed the point. This was like catching a leaking roof before the storm — the damage was limited only because it was discovered quickly. Next time, we may not be so fortunate.

Brian Fox is co-founder and CTO at Sonatype. 

The post When ‘minimal impact’ isn’t reassuring: lessons from the largest npm supply chain compromise appeared first on CyberScoop.

Designed to intercept cryptocurrency transactions, the malicious code reached 10% of cloud environments.

The post Highly Popular NPM Packages Poisoned in New Supply Chain Attack appeared first on SecurityWeek.

Security professionals and observers across the industry got swept into a pit of fear Monday when an attacker took over and injected malicious code into a series of widely used open-source packages in the node.js package manager, or npm. Despite all that worry, the disaster that many presumed a foregone conclusion was averted and the consequences of the supply-chain attack were short-lived and minimal. 

Josh Junon, a developer and maintainer of the impacted software packages, took to social media early Monday to confirm his npm account was compromised via social engineering — a two-factor reset email that looked legitimate, he said. The attacker quickly posted updated software packages with payloads designed to intercept, manipulate and redirect cryptocurrency activity, according to researchers.

Apprehension fueled by the popularity of the 18 packages affected — capturing more than 2 billion downloads per week combined, according to Aikido Security — pushed some defenders to the brink of full-on freak-out mode. Ultimately, the open-source poisoning attack was successful, but impact was thwarted.

“There was a lot of fear, uncertainty, and doubt in sensationalized headlines about the attack,” Melissa Bischoping, senior director of security and product design research at Tanium, told CyberScoop. “The overall blast radius of the attack was relatively small, it was caught quickly, and the incident response process worked as intended. That’s a good news story, not a horror story.”

Junon said his account was restored about eight hours after he was duped by the social engineering attack, and infected versions of the packages were available for up to six hours before npm took them down and published stable versions. The most popular of the affected packages include ansi-styles, debug, chalk and supports-color.

Many expected the compromise would result in widespread cryptocurrency theft, but the downstream effects of the attack appear negligible. The attacker’s crypto address showed only $66.52, Arda Büyükkaya, senior cyber threat intelligent analyst at EclecticIQ, said in a LinkedIn post Monday. 

Researchers at blockchain analytics platform Arkham have traced about $1,027 in stolen cryptocurrency to the attack as of Wednesday morning.

“While their motivation appears financial, it’s easy to see how this could have been catastrophic and reminds us of the XZ Utils breach in 2024 and others in recent memory,” Bischoping said. 

Researchers from multiple security outfits described the compromise as the largest npm attack on record due to the potential scale of compromise. Fortunately, the attacker’s technical actions tipped off other developers.

“The attackers poorly used a widely known obfuscator, which led to immediate detection shortly after the malicious versions were published,” Andrey Polkovnichenko, security researcher at JFrog, said in a blog post. 

While the initial wave of the attack was mostly stunted, researchers warn other npm maintainers were targeted and compromised by the same phishing campaign. Other packages known to be impacted include duckdb, proto-tinker-wc, prebid-universal-creative, prebid and prebid.js, Sonatype researchers said in a blog post Monday. 

“The open-source community are so often the heroes in our industry,” Bischoping said. “The passion, dedication, and resilience of the open-source community provide value we all benefit from. Every organization should consider how they can better support, fund and contribute to open-source projects because without them the tech industry would suffer.”

The post The npm incident frightened everyone, but ended up being nothing to fret about appeared first on CyberScoop.

At least 18 popular JavaScript code packages that are collectively downloaded more than two billion times each week were briefly compromised with malicious software today, after a developer involved in maintaining the projects was phished. The attack appears to have been quickly contained and was narrowly focused on stealing cryptocurrency. But experts warn that a similar attack with a slightly more nefarious payload could lead to a disruptive malware outbreak that is far more difficult to detect and restrain.

Aikido is a security firm in Belgium that monitors new code updates to major open-source code repositories, scanning any code updates for suspicious and malicious code. In a blog post published today, Aikido said its systems found malicious code had been added to at least 18 widely-used code libraries available on NPM (short for) “Node Package Manager,” which acts as a central hub for JavaScript development and the latest updates to widely-used JavaScript components.

JavaScript is a powerful web-based scripting language used by countless websites to build a more interactive experience with users, such as entering data into a form. But there’s no need for each website developer to build a program from scratch for entering data into a form when they can just reuse already existing packages of code at NPM that are specifically designed for that purpose.

Unfortunately, if cybercriminals manage to phish NPM credentials from developers, they can introduce malicious code that allows attackers to fundamentally control what people see in their web browser when they visit a website that uses one of the affected code libraries.

According to Aikido, the attackers injected a piece of code that silently intercepts cryptocurrency activity in the browser, “manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.”

“This malware is essentially a browser-based interceptor that hijacks both network traffic and application APIs,” Aikido researcher Charlie Eriksen wrote. “What makes it dangerous is that it operates at multiple layers: Altering content shown on websites, tampering with API calls, and manipulating what users’ apps believe they are signing. Even if the interface looks correct, the underlying transaction can be redirected in the background.”

Aikido said it used the social network Bsky to notify the affected developer, Josh Junon, who quickly replied that he was aware of having just been phished. The phishing email that Junon fell for was part of a larger campaign that spoofed NPM and told recipients they were required to update their two-factor authentication (2FA) credentials. The phishing site mimicked NPM’s login page, and intercepted Junon’s credentials and 2FA token. Once logged in, the phishers then changed the email address on file for Junon’s NPM account, temporarily locking him out.

Junon also issued a mea culpa on HackerNews, telling the community’s coder-heavy readership, “Hi, yep I got pwned.”

“It looks and feels a bit like a targeted attack,” Junon wrote. “Sorry everyone, very embarrassing.”

Philippe Caturegli, “chief hacking officer” at the security consultancy Seralys, observed that the attackers appear to have registered their spoofed website — npmjs[.]help — just two days before sending the phishing email. The spoofed website used services from dnsexit[.]com, a “dynamic DNS” company that also offers “100% free” domain names that can instantly be pointed at any IP address controlled by the user.

Caturegli said it’s remarkable that the attackers in this case were not more ambitious or malicious with their code modifications.

“The crazy part is they compromised billions of websites and apps just to target a couple of cryptocurrency things,” he said. “This was a supply chain attack, and it could easily have been something much worse than crypto harvesting.”

Aikido’s Eriksen agreed, saying countless websites dodged a bullet because this incident was handled in a matter of hours. As an example of how these supply-chain attacks can escalate quickly, Eriksen pointed to another compromise of an NPM developer in late August that added malware to “nx,” an open-source code development toolkit with as many as six million weekly downloads.

In the nx compromise, the attackers introduced code that scoured the user’s device for authentication tokens from programmer destinations like GitHub and NPM, as well as SSH and API keys. But instead of sending those stolen credentials to a central server controlled by the attackers, the malicious code created a new public repository in the victim’s GitHub account, and published the stolen data there for all the world to see and download.

Eriksen said coding platforms like GitHub and NPM should be doing more to ensure that any new code commits for broadly-used packages require a higher level of attestation that confirms the code in question was in fact submitted by the person who owns the account, and not just by that person’s account.

“More popular packages should require attestation that it came through trusted provenance and not just randomly from some location on the Internet,” Eriksen said. “Where does the package get uploaded from, by GitHub in response to a new pull request into the main branch, or somewhere else? In this case, they didn’t compromise the target’s GitHub account. They didn’t touch that. They just uploaded a modified version that didn’t come where it’s expected to come from.”

Eriksen said code repository compromises can be devastating for developers, many of whom end up abandoning their projects entirely after such an incident.

“It’s unfortunate because one thing we’ve seen is people have their projects get compromised and they say, ‘You know what, I don’t have the energy for this and I’m just going to deprecate the whole package,'” Eriksen said.

Kevin Beaumont, a frequently quoted security expert who writes about security incidents at the blog doublepulsar.com, has been following this story closely today in frequent updates to his account on Mastodon. Beaumont said the incident is a reminder that much of the planet still depends on code that is ultimately maintained by an exceedingly small number of people who are mostly overburdened and under-resourced.

“For about the past 15 years every business has been developing apps by pulling in 178 interconnected libraries written by 24 people in a shed in Skegness,” Beaumont wrote on Mastodon. “For about the past 2 years orgs have been buying AI vibe coding tools, where some exec screams ‘make online shop’ into a computer and 389 libraries are added and an app is farted out. The output = if you want to own the world’s companies, just phish one guy in Skegness.”

Aikido recently launched a product that aims to help development teams ensure that every code library used is checked for malware before it can be used or installed. Nicholas Weaver, a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif., said Aikido’s new offering exists because many organizations are still one successful phishing attack away from a supply-chain nightmare.

Weaver said these types of supply-chain compromises will continue as long as people responsible for maintaining widely-used code continue to rely on phishable forms of 2FA.

“NPM should only support phish-proof authentication,” Weaver said, referring to physical security keys that are phish-proof — meaning that even if phishers manage to steal your username and password, they still can’t log in to your account without also possessing that physical key.

“All critical infrastructure needs to use phish-proof 2FA, and given the dependencies in modern software, archives such as NPM are absolutely critical infrastructure,” Weaver said. “That NPM does not require that all contributor accounts use security keys or similar 2FA methods should be considered negligence.”