Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure for Software Supply Chain Security
Get Free TrialMore about Spectra Assure Free TrialFAQ: The Shai-hulud npm worm attack explained
Here's what you need to know about the discovery of the first self-replicating npm worm, which compromised packages with cloud token-stealing malware.
While crisis was averted with the recent Shai-hulud worm attack on npm, it proved that a self-propagating malware can automate the compromise of open-source packages. Here's what you need to know about the historic Shai-hulud malware outbreak.
What is Shai-hulud, and why is it notable?
- “Shai-hulud” is a self-replicating worm found in the npm package registry.
- The worm exploits compromised npm developer accounts, then uses them to inject malicious code into packages that the compromised accounts maintain. Shai-hulud then spreads via package inter-dependencies.
- Shai-hulud is one of the first known worms that operates within the open-source supply chain at scale, combining token-stealing, the exposure of private code repositories, and automated propagation.
When and how was the worm discovered?
- ReversingLabs (RL) researchers first detected Shai-hulud — a cascading compromise — on September 15.
- Researchers identified the npm package rxnt-authentication version 0.0.3, published September 14 at 17:58:50 UTC as the first known compromised package (Patient Zero).
- Between this initial detection and September 16, the campaign affected hundreds of npm packages, including some with large weekly download numbers.
[ Watch: Q&A about Shai-hulud | Read: RL's Tomislav Peričin's Shai-hulud analysis]
What does the worm do?
- Code injection and autospreading
- After compromising an npm account, the worm finds other packages maintained by that account. It automatically creates new versions of those packages with a postinstall script that adds a malicious bundle.js.
- This bundle.js is executed when users install the package.
- Secret/token theft
- The worm’s bundle script searches for environment tokens, focusing on npm, GitHub, AWS, GCP, etc.
- It uses TruffleHog, a popular open-source tool that can detect more than 800 different types of secrets, to identify the victims’ secrets.
- Exfiltration to GitHub
- Discovered secrets are exfiltrated to GitHub repositories created by the attacker, named “Shai-hulud Repository,” with the description “Shai-hulud Repository.” The stolen data is double Base64-encoded in a file called data.json.
- Also, in some compromised user accounts, a new branch named Shai-hulud is added in existing repositories, with a malicious GitHub Actions workflow (.github/workflows/Shai-hulud-workflow.yml) that exfiltrates accessible tokens.
- Exposure of private repos
- The worm attempts to create public copies (“migration”) of all private GitHub repositories belonging to the compromised account, naming them with a “-migration” suffix. These are described as “Shai-hulud Migration.”
- The intent appears to be exposure of both source code and secrets embedded in private repos, possibly for the purpose of harvesting and re-use by malicious actors.
Which packages and developers have been affected?
- Hundreds of npm packages were compromised, including several popular ones. They include ngx-bootstrap ( about 300K weekly downloads), ng2-file-upload (about 100K weekly downloads), and @ctrl/tinycolor (about 2.2 million weekly downloads).
- The compromised maintainer accounts are diverse and include maintainers of open source libraries, founders/CTOs of tech firms, developers in AI companies, non-profits, security companies, etc.
How can I check whether my organization is infected?
- On GitHub, check for new repositories you didn’t create, especially with descriptions such as “Shai-hulud Migration.”
- Look for branches in your existing repositories named Shai-hulud.
- Inspect whether any of your npm packages have been updated in ways you didn’t author or approve.
- If you maintain packages, RL's Spectra Assure Community can help your team see whether any packages you manage have been flagged as infected.
What are the Indicators of Compromise (IOCs)?
- A list of package names + versions + SHA-1 hashes of compromised versions has been published and can be viewed on the RL research team’s post.
- The GitHub repos created by the attackers (“Shai-hulud Repository”, “Shai-hulud Migration”) and branches/workflows with known naming conventions.
What similarities to earlier attacks have been noted?
- The techniques resemble those used in the “Nx compromise” (late August) and other recent attacks on open-source maintainers involving token theft, exfiltration, and CI/CD vector abuse.
- Prior attacks exposed the vulnerabilities that are common in popular open-source packages.
- Attacks targeting the maintainers of packages exposing widely used dependencies have also been seen before, as recently as the compromise of Qix.
- Shai-hulud is an escalation of other incidents impacting open source, because of its worm-like propagation and its multifaceted impact (tokens, private repos, etc.).
What should npm and other repos do to prevent further incidents?
- Open-source registries like npm, PyPI and RubyGems should implement an emergency shutdown or pause button for new package publications during active, widespread attacks.
- Add more robust monitoring for anomalous package updates and version changes for maintainers.
- Improve security posture for maintainers including implementing two-factor authentication (2FA); monitoring token hygiene; limiting privileges; and rotating tokens.
- Increase automation and tooling for detection (e.g. labeling infected packages, scanning for suspicious postinstall scripts) plus faster communication from registries when high-impact compromises are identified.
Read the RL research post about Shai-hulud. Plus, see RL's Tomislav Peričin's analysis.