ReversingLabs discovers “Shai-hulud,” a self-replicating computer worm on the npm open-source registry. Learn how the malware steals developer secrets, exposes private code, and spreads through popular packages like ngx-bootstrap and @ctrl/tinycolor.
A new and dangerous self-replicating computer worm, named Shai-hulud, has been discovered on the Node Package Manager (npm) open-source registry (a huge library where developers share and use pieces of JavaScript code).
Security firm ReversingLabs (RL), which shared its findings with Hackread.com, identified the worm on September 15, claiming that this is the first time a worm of this kind has been found on the platform. The name Shai-hulud comes from the malicious code’s own repository and is a nod to the giant sandworms from the popular sci-fi series “Dune.”
Shai-hulud spreads by taking over a developer’s npm account and secretly adding harmful code to their public and private code packages that the developer manages. Once a package is infected, it can then spread the worm to anyone who downloads and uses it.
This makes it especially dangerous because many software projects rely on packages from the npm network. A single compromised package can quickly infect a wide network of other projects.
A Widespread Attack
The first compromised package, rxnt-authentication, was infected on September 14, and therefore, its maintainer, techsupportrxnt, is considered Patient Zero for this campaign. This is a term used to describe the first person/system identified as being the source of an infection.
As the RL research team continues to track the issue, hundreds of npm packages have already been compromised, some of which are very popular, boasting millions of weekly downloads. For example, the worm has infected ngx-bootstrap, which has 300,000 weekly downloads, and @ctrl/tinycolor, with 2.2 million weekly downloads, making this a high-impact security breach.
What the Worm Does
The Shai-hulud worm steals important information such as cloud service tokens and private code. It specifically targets keys for services like npm, GitHub, AWS, and GCP (Google Cloud Platform). The research also reveals the worm installs a tool called TruffleHog, which can detect more than 800 different types of secrets.
Moreover, it can make a user’s private code libraries on GitHub public. A recent search for these “migrated” repositories yielded close to 700 results, exposing a large amount of proprietary code.
While the exact initial cause of the attack isn’t known, ReversingLabs notes its methods are similar to a previous campaign in August, suggesting the attackers may have used social engineering or exploited vulnerabilities in developer tools.
ReversingLabs has been reaching out to as many affected developers as possible, but because the worm is spreading so fast, it’s impossible to warn everyone. The company advises developers to check their public GitHub accounts for any suspicious activity, such as new repositories they didn’t create or private repositories that have suddenly been made public.
