New Shai-Hulud malware wave compromises 600 npm packages

by · BleepingComputer

Threat actors earlier today published more than 600 malicious packages to the Node Package Manager (npm) index as part of a new Shai-Hulud supply-chain campaign.

Most of the affected packages are in the @antv ecosystem, which include libraries for charting, graph visualization, building flowcharts, and mapping. However, popular packages outside this namespace have also been compromised.

As in the previous Shai-Hulud campaign impacting TanStack and Mistral packages, the payload collects secrets from developer and CI/CD environments and exfiltrates them over the Session P2P network to complicate detection and takedown efforts.

The threat actor also used GitHub as a fallback exfiltration mechanism and published stolen data in repositories under victims' accounts, when tokens used for publishing were found.

According to application security company Socket, the hackers published 639 malicious versions across 323 unique packages in about one hour. Some of the impacted libraries include:

  • echarts-for-react
  • @antv/g2
  • @antv/g6
  • @antv/x6
  • @antv/l7
  • @antv/g2plot
  • @antv/graphin
  • timeago.js
  • size-sensor
  • canvas-nest.js

Endor Labs researchers highlight that some of the packages (e.g., timeago.js, size-sensor, and jest-canvas-mock) had not received a legitimate update for a long time and were less likely to have their OIDC trusted publishing security feature configured.

For instance, although the jest-canvas-mock still has10 million monthly downloads, it has been dormant for about 3 years.

Socket researchers maintain a list of package artifacts affected by all Shai-Hulud attack, which has grown to more than 1,000 entries.

The Shai-Hulud campaigns started last September and continue to affect multiple software ecosystems, such as npm, PyPI, and Composer to a lesser degree.

The malware compromises maintainer accounts or publishing tokens to push legitimate packages with malicious code that steals developer and CI/CD secrets, and can spread to other projects using the stolen credentials.

The latest wave involves the injection of a heavily obfuscated ‘index.js’ payload that attempts to steal GitHub, npm, cloud, Kubernetes, Vault, Docker, database, and SSH credentials.

It primarily targets developer workstations and CI/CD environments, including GitHub Actions, GitLab CI, Jenkins, Azure DevOps, CircleCI, Vercel, Netlify, and other build platforms.

The stolen data is serialized, Gzip-compressed, AES-256-GCM-encrypted, and RSA-OAEP-wrapped to make network inspection harder.

When GitHub credentials are available, the malware uses the GitHub API to automatically create new repositories under the victim’s account and upload the stolen data to them.

Socket has found 1,900 publicly visible GitHub repositories matching the campaign’s markers. However, a newer report from software security platform Aikido notes that the attacker has already published more than 2,700 rogue repositories on GitHub using stolen tokens.

Shai-Hulud-generated GitHub repositories
Source: Socket

One key new addition in this latest Shai Hulud variant, according to Endor Labs, is its ability to generate valid Sigstore provenance attestations by abusing OIDC tokens from compromised CI environments and submitting them to Fulcio and Reko.

As a result, malicious npm packages may appear legitimately signed and pass standard provenance verification checks despite containing credential-stealing malware.

The self-propagation capability is present in this attack too. The malware validates stolen npm tokens, enumerates packages owned by the victim, downloads the tarballs, injects the malicious payload, and republishes infected packages with bumped version numbers.

Given that Shai Hulud's code was recently leaked on GitHub by the TeamPCP threat group, and has already been used in attacks, attribution of the new Shai-Hulud campaign is more difficult.

Socket says this variant differs technically from earlier Mini Shai-Hulud payloads but shares the same operational characteristics.

“The AntV payloads differ from earlier Mini Shai-Hulud artifacts such as TanStack’s router_init.js and Intercom-related router_runtime.js payloads,” explains Socket.

“The AntV sample uses a root-level index.js, a different primary C2 endpoint, and a smaller payload body. However, the core operational model is consistent.”

Developers who downloaded any of the infected npm packages should uninstall them immediately, and rotate all secrets within reach of the infected systems.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.

This guide covers the 6 surfaces you actually need to validate.

Download Now