FAQ: The Shai-hulud npm worm attack explained

While crisis was averted with the recent Shai-hulud worm attack on npm, it proved that a self-propagating malware can automate the compromise of open-source packages. Here's what you need to know about the historic Shai-hulud malware outbreak.

What is Shai-hulud, and why is it notable?

• “Shai-hulud” is a self-replicating worm found in the npm package registry.
• The worm exploits compromised npm developer accounts, then uses them to inject malicious code into packages that the compromised accounts maintain. Shai-hulud then spreads via package inter-dependencies. 
• Shai-hulud is one of the first known worms that operates within the open-source supply chain at scale, combining token-stealing, the exposure of private code repositories, and automated propagation.
  

When and how was the worm discovered?

• ReversingLabs (RL) researchers first detected Shai-hulud — a cascading compromise — on September 15.
• Researchers identified the npm package rxnt-authentication version 0.0.3, published September 14 at 17:58:50 UTC as the first known compromised package (Patient Zero).
• Between this initial detection and September 16, the campaign affected hundreds of npm packages, including some with large weekly download numbers.

[ Watch: Q&A about Shai-hulud | Read: RL's Tomislav Peričin's Shai-hulud analysis]

What does the worm do?

1. Code injection and autospreading
2. • After compromising an npm account, the worm finds other packages maintained by that account. It automatically creates new versions of those packages with a postinstall script that adds a malicious bundle.js.
   • This bundle.js is executed when users install the package.
2. Secret/token theft
3. • The worm’s bundle script searches for environment tokens, focusing on npm, GitHub, AWS, GCP, etc.
   • It uses TruffleHog, a popular open-source tool that can detect more than 800 different types of secrets, to identify the victims’ secrets.
3. Exfiltration to GitHub
4. • Discovered secrets are exfiltrated to GitHub repositories created by the attacker, named “Shai-hulud Repository,” with the description “Shai-hulud Repository.” The stolen data is double Base64-encoded in a file called data.json.
   • Also, in some compromised user accounts, a new branch named Shai-hulud is added in existing repositories, with a malicious GitHub Actions workflow (.github/workflows/Shai-hulud-workflow.yml) that exfiltrates accessible tokens.
4. Exposure of private repos
5. • The worm attempts to create public copies (“migration”) of all private GitHub repositories belonging to the compromised account, naming them with a “-migration” suffix. These are described as “Shai-hulud Migration.”
   • The intent appears to be exposure of both source code and secrets embedded in private repos, possibly for the purpose of harvesting and re-use by malicious actors.
     

Which packages and developers have been affected?

• Hundreds of npm packages were compromised, including several popular ones. They include ngx-bootstrap ( about 300K weekly downloads), ng2-file-upload (about 100K weekly downloads), and @ctrl/tinycolor (about 2.2 million weekly downloads).
• The compromised maintainer accounts are diverse and include maintainers of open source libraries, founders/CTOs of tech firms, developers in AI companies, non-profits, security companies, etc.

How can I check whether my organization is infected?

• On GitHub, check for new repositories you didn’t create, especially with descriptions such as “Shai-hulud Migration.”
• Look for branches in your existing repositories named Shai-hulud.
• Inspect whether any of your npm packages have been updated in ways you didn’t author or approve.
• If you maintain packages, RL's Spectra Assure Community can help your team see whether any packages you manage have been flagged as infected.

What are the Indicators of Compromise (IOCs)?

• A list of package names + versions + SHA-1 hashes of compromised versions has been published and can be viewed on the RL research team’s post.
• The GitHub repos created by the attackers (“Shai-hulud Repository”, “Shai-hulud Migration”) and branches/workflows with known naming conventions.
  

What similarities to earlier attacks have been noted?

• The techniques resemble those used in the “Nx compromise” (late August) and other recent attacks on open-source maintainers involving token theft, exfiltration, and CI/CD vector abuse.
• Prior attacks exposed the vulnerabilities that are common in popular open-source packages. 
• Attacks targeting the maintainers of packages exposing widely used dependencies have also been seen before, as recently as the compromise of Qix. 
• Shai-hulud is an escalation of other incidents impacting open source, because of its worm-like propagation and its multifaceted impact (tokens, private repos, etc.). 

What should npm and other repos do to prevent further incidents?

• Open-source registries like npm, PyPI and RubyGems should implement an emergency shutdown or pause button for new package publications during active, widespread attacks. 
• Add more robust monitoring for anomalous package updates and version changes for maintainers.
• Improve security posture for maintainers including implementing two-factor authentication (2FA); monitoring token hygiene; limiting privileges; and rotating tokens.
• Increase automation and tooling for detection (e.g. labeling infected packages, scanning for suspicious postinstall scripts) plus faster communication from registries when high-impact compromises are identified.

Read the RL research post about Shai-hulud. Plus, see RL's Tomislav Peričin's analysis.