Sha1-Hulud: The Second Coming of the NPM Worm is Digging For Secrets

In September, security teams encountered a surge in npm supply chain compromises due to the Shai-Hulud malware, which has evolved into a more aggressive variant. This new version not only seeks secrets but also establishes persistence using GitHub Actions. Over 525 packages have been compromised, impacting 132 million monthly downloads. The malware employs Trufflehog for secret collection and targets AWS, Google Cloud Platform, Azure, GitHub, and npm tokens. The worm spreads by infecting npm maintainers, searching for npm tokens, and publishing new versions of infected packages. Two new scripts, "setup_bun.js" and "bun_environment.js," are added to infected repositories to facilitate propagation and exfiltration of secrets. The malware also creates a backdoor via a vulnerable GitHub Action, allowing attackers to execute arbitrary code. Affected users are advised to avoid upgrading npm dependencies from compromised packages, rotate credentials, and utilize tools like Semgrep to identify vulnerabilities. The attack's persistence mechanism via GitHub Actions and its ability to self-propagate significantly increases its threat, making it crucial for organizations to audit their security measures and remove unauthorized access points.