More than 20 CrowdStrike NPM packages were among nearly 200 NPM packages hit by a sophisticated supply chain attack.
The compromised packages were quickly removed and CrowdStrike said its Falcon security platform wasn’t affected, but coming just days after a massive NPM supply chain attack hit popular packages with more than 2 billion downloads a week, the latest incident is likely to bring renewed scrutiny to the packages used to run JavaScript outside of a browser.
The latest NPM attack used a self-propagating worm, raising a new level of concern among security researchers.
“This attack demonstrates a concerning evolution in supply chain threats – the malware includes a self-propagating mechanism that automatically infects downstream packages, creating a cascading compromise across the ecosystem,” StepSecurity CTO Ashish Kurmi wrote in a blog post.
NPM Attack Uses Self-Propagating Worm
Daniel Pereira appeared to be the first to identify the latest NPM threat, which Aikido’s Charlie Eriksen said seemed to be the work of the same threat actors behind an Nx NPM attack in late August.
The attack, dubbed “Shai-Hulud” because of a workflow file named for the sandworms in Dune, also hit Tinycolor and other popular packages, according to Socket’s Kush Pandya and Peter van der Zee and other researchers.
The malware, according to Socket and other researchers, performs several functions:
- Downloads and runs the TruffleHog secret scanner
- Searches host systems for tokens and cloud credentials
- Validates developer and CI credentials
- Creates unauthorized GitHub Actions workflows within repositories
- Exfiltrates sensitive data to a webhook[.]site URL
- Propagates and amplifies the attack
CrowdStrike Among Those Hit By NPM Attack
Multiple CrowdStrike NPM packages published by the crowdstrike-publisher NPM account were compromised.
Contacted by The Cyber Express, a CrowdStrike spokesperson shared the following statement:
“After detecting several malicious Node Package Manager (NPM) packages in the public NPM registry, a third-party open source repository, we swiftly removed them and proactively rotated our keys in public registries. These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected. We are working with NPM and conducting a thorough investigation.”
It’s not clear how the initial compromise occurred in any of the incidents, but one commenter on LinkedIn said “We aren’t sure how the attackers got initial access it doesn’t appear to be from a phishing campaign.”
Cyble: ‘A Significant Escalation’ in Supply Chain Attacks
In a note to clients, Cyble said the sudden appearance on GitHub of hundreds of “Shai-Hulud Migration” repositories “suggests coordinated automation infrastructure supporting the broader operation.”
Cyble said the attack is “a significant escalation in supply chain attack sophistication and targeting precision. The threat actors demonstrated advanced operational security by maintaining consistent malware deployment across multiple packages while implementing automated persistence mechanisms. The campaign’s focus on credential harvesting and GitHub Actions workflow deployment indicates potential state-sponsored or advanced persistent threat group involvement. … The rapid response and package removal by npm registry maintainers prevented a broader impact, but the incident highlights fundamental vulnerabilities in package distribution trust models.”
Cyble had a long list of recommendations for clients:
- Conducting comprehensive audits of all development and production environments to identify installations of the compromised packages and removing or downgrading to verified clean versions immediately.
- Implementing automated dependency scanning to detect similar supply chain compromises in future package updates.
- Rotating all npm tokens, API keys, cloud credentials, and other authentication materials that may have been exposed on systems where compromised packages were installed.
- Implementing credential vaulting solutions and eliminating plaintext credential storage in development environments, and multi-factor authentication on all package management accounts.
- Reviewing all GitHub repositories for unauthorized workflow files, particularly those containing references to “shai-hulud” or similar naming patterns.
- Auditing CI/CD pipeline configurations for unexpected modifications or new workflow additions, and implementing workflow approval requirements and repository access monitoring.
- Establishing package integrity verification processes, including signature validation and hash checking, before deployment, and implementing software bill of materials (SBOM) generation and monitoring for all dependencies.
- Deploying monitoring solutions to detect unauthorized package installations, unusual GitHub Actions activity, and credential access patterns.
- Establishing baseline behavior profiles for development environments and implementing anomaly detection for supply chain-related activities.
- Creating threat intelligence feeds focused on npm ecosystem compromises and similar attack vectors, and incident response procedures specifically for supply chain compromise scenarios.
Some have called for improved code security measures like mandatory code signing. Nx, for example, implemented NPM Trusted Publishers and a manual approval process for all releases, among other enhanced security measures, after its recent attack.
