Hundreds of compromised NPM packages have already been found, and the list continues to grow as a major supply chain attack spreads malware. Developers are urged to be extremely cautious after hackers planted malicious scripts in CrowdStrike’s NPM packages and other widely used libraries.
NPM (Node Package Manager) is the world’s largest software registry, used by developers building web, mobile app, enterprise, and other JavaScript applications.
A massive supply chain attack is currently ongoing, compromising NPM packages at a terrifying pace. A self-replicating worm is spreading via these packages, harvesting user secrets, exfiltrating data, and propagating to other packages using any valid stolen npm tokens.
The first alarm bells were sounded on Monday when the compromise was detected in tinycolor, a popular lightweight JavaScript library designed for color manipulation and conversion. It also affected more than 40 packages spanning multiple maintainers.
Socket, a cybersecurity firm specializing in protection against supply, has already listed almost 500 compromised npm packages. It was one of the first to begin tracking the campaign. Other firms report even more packages.
Multiple compromised CrowdStrike NPM packages with millions of downloads have been flagged with identical malware.
“After detecting several malicious Node Package Manager (NPM) packages in the public NPM registry, a third-party open source repository, we swiftly removed them and proactively rotated our keys in public registries. These packages are not used in the Falcon sensor and the platform is not impacted. We identified the single source and isolated it quickly, customers remain protected and do not need to take any actions,” a CrowdStrike spokesperson told Cybernews.
The list also includes foundational tools for mobile and web development used for UI, gesture handling, cross-platform app creation, etc. Hackers have compromised over 30 core @nativescript-community libraries, critical Angular ecosystem packages like ngx-bootstrap and ngx-toastr, over 40 @operato enterprise packages, and dozens of packages from @ctrl and @art-ws development frameworks.
It’s starting to spread panic among developers.
“As a user of npm-hosted packages in my own projects, I'm not really sure what to do to protect myself. It’s not feasible for me to audit every single one of my dependencies, and every one of my dependencies' dependencies, and so on,” one developer shared on Hacker News forum.
“Even if I had the time to do that, I'm not a typescript/JavaScript expert, and I'm certain there are a lot of obfuscated things that an attacker could do that I wouldn't realize were embedded malware.”
Daniel Pereira, Senior Backend Software Engineer at Loka, a software consultancy, warns that a lot of people are getting compromised.
“Don't install @ctrl/[email protected]+ or anything that uses it (so avoid npm installs),” Pereira posted on LinkedIn.
Snowballing out of control
The supply chain attack is dubbed Shai-Halud based on the name of a malicious workflow file deployed by hackers, a reference to giant sandworms in “Dune” novels by Frank Herbert.
It is self-propagating because when developers download and execute a package with the malicious code, it scans their systems using TruffleHog for cloud credentials, tokens, and other secrets, validates the discovered credentials, creates unauthorized GitHub Actions workflows within developers’ repositories, and exfiltrates the sensitive data.
Not only does it update packages with the malicious ‘bundle.js' script, but it also publishes private code. It also appears that the secrets are being exfiltrated to public GitHub repositories instead of attacker-controlled servers.
“It's already turned 700 previously private repositories public,” a security professional who goes under the moniker Advocatemack posted on the Cybersecurity subreddit.
Socket notes that the npm registry quickly removes affected packages.
“The script combines local scanning with service-specific probing. It looks for environment variables such as GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. It validates npm tokens with the whoami endpoint, and it interacts with GitHub APIs when a token is available. It also attempts cloud metadata discovery that can leak short lived credentials inside cloud build agents,” Socket said, explaining how the malware works.
Immediate guidance on mitigating the situation includes uninstalling compromised npm packages or pinning them to a known good version.
“Audit environments (CI/CD agents, developer laptops) that installed the affected versions for unauthorized publishes or credential theft,” Socket urges.
“Rotate npm tokens and other exposed secrets if these packages were present on machines with publishing credentials.”
Updated on September 17th [05:50 .m. GMT] with a statement from CrowdStrike.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked