A new supply chain attack has compromised multiple npm packages maintained by the crowdstrike-publisher account, marking a worrying continuation of the so-called “Shai-Halud attack.”
Developers and organizations using these packages should take immediate action to safeguard credentials and prevent unauthorized code execution.
The Shai-Halud attack first drew attention when it infiltrated tinycolor and over 40 other npm libraries.
In each case, threat actors injected a malicious bundle.js script that executes covert tasks once installed.
The latest incident mirrors the earlier compromises: a malicious payload downloads and runs TruffleHog, a legitimate tool designed to scan for secrets, and then uses it to scour the host system for tokens, API keys, and cloud credentials.
After collecting valid developer and continuous integration secrets, the malware creates unauthorized GitHub Actions workflows in affected repositories.
Finally, it exfiltrates any discovered sensitive data to a hardcoded webhook endpoint at hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7, all orchestrated via a single orchestrating script identified by SHA-256 hash 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09.
Affected Packages and Versions
The npm registry swiftly removed compromised versions once the malicious activity was detected.
Confirmed affected packages include core CrowdStrike offerings and several Ember and utility libraries.
Notable examples are @crowdstrike/commitlint versions 8.1.1 and 8.1.2, @crowdstrike/falcon-shoelace 0.4.2, @crowdstrike/foundry-js 0.19.2, and @crowdstrike/glide-core 0.34.2 and 0.34.3.
| Package Name | Affected Version(s) |
|---|---|
@crowdstrike/commitlint |
8.1.1, 8.1.2 |
@crowdstrike/falcon-shoelace |
0.4.2 |
@crowdstrike/foundry-js |
0.19.2 |
@crowdstrike/glide-core |
0.34.2, 0.34.3 |
@crowdstrike/logscale-dashboard |
1.205.2 |
@crowdstrike/logscale-file-editor |
1.205.2 |
@crowdstrike/logscale-parser-edit |
1.205.1, 1.205.2 |
@crowdstrike/logscale-search |
1.205.2 |
@crowdstrike/tailwind-toucan-base |
5.0.2 |
Other impacted packages include @crowdstrike/logscale-dashboard 1.205.2, @crowdstrike/logscale-file-editor 1.205.2, and @crowdstrike/logscale-parser-edit versions 1.205.1 and 1.205.2.
Additional malicious libraries range from tailwind-toucan-base 5.0.2 to browser-webdriver-downloader 3.0.8, various Ember utilities, eslint-config-crowdstrike modules, monorepo-next 13.0.2, remark-preset-lint-crowdstrike 4.0.2, verror-extra 6.0.1, and yargs-help-output 5.0.3.
Each of these packages contained the same bundle.js payload responsible for the credential theft and exfiltration.
Organizations leveraging any of the compromised npm packages should uninstall them immediately or pin to a previously known-good version until patched releases are confirmed.
A CrowdStrike spokesperson told GBHackers on Security, “After detecting several malicious Node Package Manager (NPM) packages in the public NPM registry, a third-party open source repository, we swiftly removed them and proactively rotated our keys in public registries. These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected. We are working with NPM and conducting a thorough investigation.”
It is critical to audit all environments, developer machines, and CI/CD agents alike for signs of unauthorized npm publishes or unusual GitHub Actions workflow additions.
Teams must rotate npm authentication tokens, cloud credentials, and any other secrets that might have been exposed. Monitoring logs for unusual publish events or package modifications will help detect further malicious activity.
CrowdStrike and npm maintainers are collaborating on a complete technical analysis, which will include detailed breakdowns of propagation mechanisms and remediation steps.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
