A sophisticated and widespread supply chain attack has struck the NPM ecosystem, compromising the popular @ctrl/tinycolor package, which is downloaded over 2 million times per week.
The attack also affected more than 40 other packages from various maintainers, introducing a dangerous self-propagating malware designed to steal developer credentials and spread itself across the software landscape.
The incident came to light after users discovered suspicious activity on GitHub and promptly alerted the open-source community.
The malicious versions, identified as 4.1.1 and 4.1.2 of @ctrl/tinycolor, were quickly removed from the NPM registry, but not before they were distributed.
Security analysts from StepSecurity later provided a detailed technical breakdown of the attack, confirming its severity and unique propagation method.
Self-Spreading Malware Infects NPM Packages
What sets this attack apart is its automated, worm-like behavior. The malware contains a “self-propagation engine” that actively seeks out and infects other software packages.
Once a developer’s machine is compromised, the malware uses a function named NpmModule.updatePackage to inject its malicious code into other projects maintained by the same author.
This creates a cascading effect, allowing the threat to spread rapidly through the interconnected web of software dependencies without further manual intervention from the attackers.
The primary goal of the malware is aggressive credential harvesting. The attackers repurposed a legitimate secret-scanning tool, TruffleHog, to hunt for sensitive information on compromised systems. It specifically targets a wide range of valuable developer secrets, including:
- NPM authentication tokens
- GitHub personal access tokens
- Amazon Web Services (AWS) access keys
- Google Cloud Platform (GCP) service credentials
- Microsoft Azure credentials
To ensure its persistence, the malware creates a malicious GitHub Actions workflow file named .github/workflows/shai-hulud-workflow.yml.
This file allows the attackers to maintain access to compromised repositories, potentially re-infecting them or exfiltrating more data over time. All stolen data was funneled to a publicly exposed endpoint on the webhook.site service.
Mitigations
In response to this critical threat, security experts are urging developers and organizations to take immediate action.
The first step is to check all projects for the presence of the compromised packages and their malicious versions. If found, they should be removed or downgraded to a safe version immediately.
Given the malware’s extensive credential-stealing capabilities, rotating all potentially exposed secrets is crucial. This includes NPM tokens, GitHub access tokens, and all cloud provider credentials (AWS, Azure, GCP) that may have been present on development or CI/CD systems.
Finally, a thorough audit of infrastructure is recommended. Developers should scan their repositories for the malicious shai-hulud-workflow.yml file, review recent NPM publishing activity for any unauthorized package releases, and monitor outbound network traffic for any connections to the known exfiltration endpoint.
Based on the information provided, here is a list of the compromised packages and their affected versions.
| Affected Package | Malicious Version(s) |
|---|---|
| @ctrl/tinycolor | 4.1.1, 4.1.2 |
| @ctrl/deluge | 7.2.2 |
| angulartics2 | 14.1.2 |
| @ctrl/golang-template | 1.4.3 |
| @ctrl/magnet-link | 4.0.4 |
| @ctrl/ngx-codemirror | 7.0.2 |
| @ctrl/ngx-csv | 6.0.2 |
| @ctrl/ngx-emoji-mart | 9.2.2 |
| @ctrl/ngx-rightclick | 4.0.2 |
| @ctrl/qbittorrent | 9.7.2 |
| @ctrl/react-adsense | 2.0.2 |
| @ctrl/shared-torrent | 6.3.2 |
| @ctrl/torrent-file | 4.1.2 |
| @ctrl/transmission | 7.3.1 |
| @ctrl/ts-base32 | 4.0.2 |
| encounter-playground | 0.0.5 |
| json-rules-engine-simplified | 0.2.4 |
| @nativescript-community/gesturehandler | 2.0.35 |
| @nativescript-community/sentry | 4.6.43 |
| @nativescript-community/text | 1.6.13 |
| @nativescript-community/ui-collectionview | 6.0.6 |
| @nativescript-community/ui-drawer | 0.1.30 |
| @nativescript-community/ui-image | 4.5.6 |
| @nativescript-community/ui-material-bottomsheet | 7.2.72 |
| @nativescript-community/ui-material-core | 7.2.76 |
| @nativescript-community/ui-material-core-tabs | 7.2.76 |
| ngx-color | 10.0.2 |
| ngx-toastr | 1.9.0.2 |
| ngx-trend | 8.0.1 |
| react-complaint-image | 0.0.35 |
| react-jsonschema-form-conditionals | 0.3.21 |
| react-jsonschema-form-extras | 1.0.4 |
| rxnt-authentication | 0.0.6 |
| rxnt-healthchecks-nestjs | 1.0.5 |
| rxnt-kue | 1.0.7 |
| swc-plugin-component-annotate | 1.9.2 |
| ts-gaussian | 3.0.6 |
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
Source link
