#Breaking There's an active nodejs supply chain attack going around.
-
Ok I've downloaded some of the compromised packages and you can search your already downloaded node modules for possibly infected packages using this command:
find ./node_modules -type f -name "bun_environment.js"
You can check your user level node cache using:
find ~/.npm -type f -name "bun_environment.js"
Still sizing this one up but if you get any hits check and see if they are big files (around 10MB) and if so you're likely infected.
I've spent the last few hours writing down my scripts for detecting this so you can use them!
I'm hitting on two or three ways to detect it and will be adding more.
Watching the attack running I can see developers all over the world still doing their morning `npm i` and getting owned
Maybe let the node developers in your life know about this tool
https://github.com/datapartyjs/walk-without-rhythm
#ShaiHulud #WalkWithoutRhythm #nodejs #javascript #npm #github #cybersecurity
-
I've spent the last few hours writing down my scripts for detecting this so you can use them!
I'm hitting on two or three ways to detect it and will be adding more.
Watching the attack running I can see developers all over the world still doing their morning `npm i` and getting owned
Maybe let the node developers in your life know about this tool
https://github.com/datapartyjs/walk-without-rhythm
#ShaiHulud #WalkWithoutRhythm #nodejs #javascript #npm #github #cybersecurity
First pass is super simple and just looks for the file names & package.json signature for signs of infection anywhere in the path you tell it to search.
If it sees anything fishy it tells you where and stops until you've read the alert.
Oh and this only uses bash, sed, awk, grep, curl, and jq. So no npm, node or other big supply chains 🥴
https://github.com/datapartyjs/walk-without-rhythm/blob/main/check-projects
#ShalHulud #WalkWithoutRhythm #nodejs #npm #github #javascript
-
First pass is super simple and just looks for the file names & package.json signature for signs of infection anywhere in the path you tell it to search.
If it sees anything fishy it tells you where and stops until you've read the alert.
Oh and this only uses bash, sed, awk, grep, curl, and jq. So no npm, node or other big supply chains 🥴
https://github.com/datapartyjs/walk-without-rhythm/blob/main/check-projects
#ShalHulud #WalkWithoutRhythm #nodejs #npm #github #javascript
At the end of scanning for obvious compromise the `check-projects` script then builds a listing of all of your dependencies and all of the versions your project files mention.
You can find that info under `reports/`
I'm currently working on improving the `check-projects` script so that it will alert you if ANY of your package.json or package-lock.json mentions a known infected package.
#ShalHulud #WalkWithoutRhythm #npm #github #javascript #cybersecurity #threatresponse
-
At the end of scanning for obvious compromise the `check-projects` script then builds a listing of all of your dependencies and all of the versions your project files mention.
You can find that info under `reports/`
I'm currently working on improving the `check-projects` script so that it will alert you if ANY of your package.json or package-lock.json mentions a known infected package.
#ShalHulud #WalkWithoutRhythm #npm #github #javascript #cybersecurity #threatresponse
Woot ok now that I have the dependency graph crawled I can just ship the listing of known bad NPM packages and just compare directly against that.
I updated the scanning script to alert if you have -any- version of an infected package.
You're gonna want to be very careful if you're not infected but have one of these dependencies present.
https://github.com/datapartyjs/walk-without-rhythm/blob/main/data/infected-pkgs-versions.txt
#ShalHulud #WalkWithoutRhythm #npm #github #javascript #cybersecurity #threatresponse
-
Woot ok now that I have the dependency graph crawled I can just ship the listing of known bad NPM packages and just compare directly against that.
I updated the scanning script to alert if you have -any- version of an infected package.
You're gonna want to be very careful if you're not infected but have one of these dependencies present.
https://github.com/datapartyjs/walk-without-rhythm/blob/main/data/infected-pkgs-versions.txt
#ShalHulud #WalkWithoutRhythm #npm #github #javascript #cybersecurity #threatresponse
What's the big deal with this worming supply chain attack?
Well it seems that the attackers may have forced GitHub and NPM into inaction.
The worm is designed to take revenge on infected users if too many of the infected packages are taken off NPM or if GitHub takes down the stolen user data.
So in the mean time that means us developers and users will need to stop and remove the infection as quickly as possible ourselves to protect your systems.
https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/
-
What's the big deal with this worming supply chain attack?
Well it seems that the attackers may have forced GitHub and NPM into inaction.
The worm is designed to take revenge on infected users if too many of the infected packages are taken off NPM or if GitHub takes down the stolen user data.
So in the mean time that means us developers and users will need to stop and remove the infection as quickly as possible ourselves to protect your systems.
https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/
If time is money and helping the community is good, then this almost completely broke and emotionally damaged open source nerd would dearly appreciate some donations so I can stay focused on helping untangle this worm.
Was planning to spend this week on a mad dash to get my latest apps shipped by turkey day(to you know, make money) but instead I'm doing worm mitigation
https://ko-fi.com/nullagent
https://ko-fi.com/dataparty#cybersecurity #incidentresponse #ShalHulud #WalkWithoutRhythm
-
If time is money and helping the community is good, then this almost completely broke and emotionally damaged open source nerd would dearly appreciate some donations so I can stay focused on helping untangle this worm.
Was planning to spend this week on a mad dash to get my latest apps shipped by turkey day(to you know, make money) but instead I'm doing worm mitigation
https://ko-fi.com/nullagent
https://ko-fi.com/dataparty#cybersecurity #incidentresponse #ShalHulud #WalkWithoutRhythm
Making my morning rounds and I can see thath there are STILL infected packages that were already detected by cybersecurity analyst available on NPM this morning.
So I'm taking the time to go and personally message teams that haven't taken down their hacked packages.
Tracking that work with these two issues. I'm both manually spot checking the list and working on a script to automate that check. Moar PRs soon . . .
https://github.com/datapartyjs/walk-without-rhythm/issues/13
https://github.com/datapartyjs/walk-without-rhythm/issues/12
-
Making my morning rounds and I can see thath there are STILL infected packages that were already detected by cybersecurity analyst available on NPM this morning.
So I'm taking the time to go and personally message teams that haven't taken down their hacked packages.
Tracking that work with these two issues. I'm both manually spot checking the list and working on a script to automate that check. Moar PRs soon . . .
https://github.com/datapartyjs/walk-without-rhythm/issues/13
https://github.com/datapartyjs/walk-without-rhythm/issues/12
Checking back in on my GitHub query and the stolen data is STILL showing up on github.
I can tell github looks to be deleting the repos a -little- bit faster than they are created. There's still over 15k repos full of stolen credentials and PII available for public download.
I've also noticed some new behavior I hadn't seen before where the worm is now making commits look like Linus Torvalds wrote them. Clearly a delay tactic.
-
Checking back in on my GitHub query and the stolen data is STILL showing up on github.
I can tell github looks to be deleting the repos a -little- bit faster than they are created. There's still over 15k repos full of stolen credentials and PII available for public download.
I've also noticed some new behavior I hadn't seen before where the worm is now making commits look like Linus Torvalds wrote them. Clearly a delay tactic.
Found some other threat hunters online and checked in with them about this new behavior. They confirm that they also noticed the worm getting updates.
According to our conversation it appears that the ShalHulud worm is using GitHub discussions as a C2. The attacker is then able to likely use stolen credentials to post comments which will update the behavior of the worm.
So we're dealing with an active worm and it might form a full blown botnet if mitigations aren't continued to ramp up.
-
Found some other threat hunters online and checked in with them about this new behavior. They confirm that they also noticed the worm getting updates.
According to our conversation it appears that the ShalHulud worm is using GitHub discussions as a C2. The attacker is then able to likely use stolen credentials to post comments which will update the behavior of the worm.
So we're dealing with an active worm and it might form a full blown botnet if mitigations aren't continued to ramp up.
I located a second tool for detecting Sha1-Hulud infections. Haven't looked at the details of how it works.
Some notes:
This one appears to have been released by CrowdStrike and was paywalled. Someone decided to modify and release it publicly so license is unknown.
But awesome to see I'm in the big leagues with CrowdStrike and I maybe the first clean open source release of a tool for this.
https://github.com/TimothyMeadows/sha1hulud-scanner
#Sha1Hulud #Sha1HuludScanner #NPM #nodejs #cybersecurity #opensource
-
I located a second tool for detecting Sha1-Hulud infections. Haven't looked at the details of how it works.
Some notes:
This one appears to have been released by CrowdStrike and was paywalled. Someone decided to modify and release it publicly so license is unknown.
But awesome to see I'm in the big leagues with CrowdStrike and I maybe the first clean open source release of a tool for this.
https://github.com/TimothyMeadows/sha1hulud-scanner
#Sha1Hulud #Sha1HuludScanner #NPM #nodejs #cybersecurity #opensource
The fork of the CrowdStrike scanner introduced me to a really good idea, I should support the same exit code design so that our tools can work in tandem.
Maybe we detect different things or maybe one vs the other works in your environment.
So I made an issue to track this support:
https://github.com/datapartyjs/walk-without-rhythm/issues/18
#CrowdStrike #Sha1HuludScanner #WalkWithoutRhythm #cybersecurity #npm #nodejs
-
The fork of the CrowdStrike scanner introduced me to a really good idea, I should support the same exit code design so that our tools can work in tandem.
Maybe we detect different things or maybe one vs the other works in your environment.
So I made an issue to track this support:
https://github.com/datapartyjs/walk-without-rhythm/issues/18
#CrowdStrike #Sha1HuludScanner #WalkWithoutRhythm #cybersecurity #npm #nodejs
Just finished landing Exit Code support. So now if more scanners are made or one of the projects gets more features you can quickly switch to whichever makes the most sense for your use case!
I literally lost a ton of sleep on this volunteer incident response work so I'm going to go touch grass for a bit.
More hacks later tonight, still got some loose ends gnawing at me lol.
https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#how-to-use
#nodejs #npm #javascript #Sha1Hulud #WalkWithoutRhythm #Sha1HuludScanner #cybersecurity
-
Just finished landing Exit Code support. So now if more scanners are made or one of the projects gets more features you can quickly switch to whichever makes the most sense for your use case!
I literally lost a ton of sleep on this volunteer incident response work so I'm going to go touch grass for a bit.
More hacks later tonight, still got some loose ends gnawing at me lol.
https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#how-to-use
#nodejs #npm #javascript #Sha1Hulud #WalkWithoutRhythm #Sha1HuludScanner #cybersecurity
I spent more time searching for other Sha1-Hulud detection tools and found four more bringing it to 6 scanners (5 in nodejs).
Linked them all from my readme in case those work better for you.
Best way to beat a worm like this is to keep scanning and keep an eye out for the attacker to try and evade all of our tools.
By using more than one hopefully we make the attackers job harder to evade all of us.
https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#similar-tools
#Sha1Hulud #WalkWithoutRhythm #nodejs #npm #github #microsoft
-
I spent more time searching for other Sha1-Hulud detection tools and found four more bringing it to 6 scanners (5 in nodejs).
Linked them all from my readme in case those work better for you.
Best way to beat a worm like this is to keep scanning and keep an eye out for the attacker to try and evade all of our tools.
By using more than one hopefully we make the attackers job harder to evade all of us.
https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#similar-tools
#Sha1Hulud #WalkWithoutRhythm #nodejs #npm #github #microsoft
GitHub has almost finished taking down the stolen data posted by the Sha1-Hulud npm/github worm. I only see about 400 repos remaining of the around 23k created by the worm.
This was the most visible evidence of the exploit, just because we can't clearly see the worm's uploads doesn't mean the worm is totally dead yet.
-
GitHub has almost finished taking down the stolen data posted by the Sha1-Hulud npm/github worm. I only see about 400 repos remaining of the around 23k created by the worm.
This was the most visible evidence of the exploit, just because we can't clearly see the worm's uploads doesn't mean the worm is totally dead yet.
Now that the acute phase is over there's a VERY important question...
What is the actual fucking value does Microsoft (a trillion dollar company) owning GitHub & NPM bring at all?
This shit was an absolute corporate buyout disaster. How the ever living fuck has microsoft owned NPM for FIVE years and still not done proper MFA requirements for publishing packages on NPM.
How the actual fuck are well known vulnerable packages STILL being propagated by NPM.
-
Now that the acute phase is over there's a VERY important question...
What is the actual fucking value does Microsoft (a trillion dollar company) owning GitHub & NPM bring at all?
This shit was an absolute corporate buyout disaster. How the ever living fuck has microsoft owned NPM for FIVE years and still not done proper MFA requirements for publishing packages on NPM.
How the actual fuck are well known vulnerable packages STILL being propagated by NPM.
And to be clear this is NOT an all clear just yet. Why?
1. There remain known malicious packages STILL available for download on NPM (and I can see evidence of active downloads)
https://partyon.xyz/@nullagent/115607663085751105
2. Infected computers and servers are STILL posting stolen PII to public githubs for the world to see. GitHub has just gotten a tad faster at taking them down.
https://partyon.xyz/@nullagent/115607844583101135
So this is a smoldering fire still and we need to stay vigilant.
-
And to be clear this is NOT an all clear just yet. Why?
1. There remain known malicious packages STILL available for download on NPM (and I can see evidence of active downloads)
https://partyon.xyz/@nullagent/115607663085751105
2. Infected computers and servers are STILL posting stolen PII to public githubs for the world to see. GitHub has just gotten a tad faster at taking them down.
https://partyon.xyz/@nullagent/115607844583101135
So this is a smoldering fire still and we need to stay vigilant.
These sorts of NPM worms have been around for a LONG time.
It's typically due a common practice of low 2fa opt-in on NPM accounts.
So be sure to setup NPM 2FA if you're a package maintainer do that asap!
A lesser known NPM capability is that you can disable install time scripts. This may break some packages but its worth a try to see if your projects can work with out any install scripts.
https://blog.npmjs.org/post/141702881055/package-install-scripts-vulnerability
-
P pelle@veganism.social shared this topic
