Malicious worm compromises crypto domains in supply-chain attack
A second wave of the Shai-Hulud worm compromised 492 npm packages, stealing secrets and potentially wiping developer files.Summary
Security firm Aikido detected a second, larger wave of the Shai-Hulud self-replicating npm worm on November 24, compromising 492 packages with 132 million monthly downloads across major ecosystems like AsyncAPI, PostHog, Postman, Zapier, and ENS. The attack exploited the final weeks before npm's deadline to revoke legacy authentication tokens. The worm installs the Bun runtime, searches developer environments for secrets using TruffleHog, and publishes stolen credentials to public repositories. A significant evolution is the addition of a destructive payload: if the malware cannot authenticate with GitHub or npm, it wipes all files in the user’s home directory. Evidence suggests the attacker gained write access to source repositories, such as AsyncAPI’s CLI repository, rather than just hijacking npm tokens. Aikido estimates over 26,300 GitHub repositories now contain exposed credentials marked by the attacker. Mitigation involves auditing dependencies from affected ecosystems, rotating all secrets, and disabling npm postinstall scripts in CI pipelines.
(Source:CryptoSlate)