Dozens of npm libraries, including a color library with over 2 million downloads a week, have been replaced with novel self-replicating credential-stealing code in yet another wave of a supply chain attack that again stresses the need for contributors to open source repositories to better protect their login credentials from being hacked.

Developers who use open source code are urged to check their GitHub accounts now to make sure they haven’t downloaded this malware.

‘Not just another bad day’

This represents “a major escalation in npm ecosystem threats,” said researchers at Step Security.

The malware self-propagates across maintainer packages, harvests AWS/GCP/Azure credentials using TruffleHog and establishes persistence through GitHub Actions backdoors, they said.

“This is not just another bad day on npm,” added Tomislav Pericin, chief software architect at ReversingLabs. “This is a new frontier of self-replicating malware in open source.”

Researchers at Socket and at Ox Security noted that multiple packages published in npm by security vendor Crowdstrike were among those compromised.

By now, affected libraries have been removed by the npm registry. But the risk is that app developers have already included the malware in their software, which then spreads to hundreds or thousands of users.

More than 40 packages affected

One of the researchers who found and flagged the hack Monday was French developer François Best, and it was also described in blogs from StepSecurity, Socket, ReversingLabs and Ox Security. These blogs contain a full list of compromised packages and indicators of compromise.

Researchers at Israel-based Ox Security said there was a brief time window of only a few hours before the malware was discovered and blocked. During that period, however, it could have been downloaded by unwitting developers. 

According to researchers, attackers trojanized over 40 packages in npm including:

• ctrl/tinycolor versions 4.1.1 and 4.1.2. It’s a lightweight JavaScript library and API that helps developers customize color in their apps, popular enough that it is downloaded more than 2 million times a week;
• ngx-bootstrap (300,000 weekly downloads);
• ng2-file-upload (100,000 weekly downloads). 

If developers have downloaded any of the affected libraries in the past few days, they should remove those versions and rebuild from a clean cache/artifact source. In addition they should rotate/revoke and replace credentials used on any affected machine.

In particular, GitHub users should look for and remove a new repo named “Shai-Hulud.”

Malware repo found in compromised accounts

In an interview, Ox Security researcher Moshe Siman Tov Bustan said he assumed that one developer who contributes to npm fell for a phishing lure, which led to their credentials being stolen.

He described the malware as “very bad” because it steals credentials for AWS, Google Cloud, and Azure.

He said that Ox Security has found 34 compromised GitHub accounts which contain the Shai-Hulud repository. Inside it is a file called “data.json” containing all of the compromised information the attacker uploaded to the victim’s GitHub account.

He advised development teams to start enforcing hardware-based two-factor authentication to make it tougher to steal a developer’s credentials, to create short-lived tokens, enforce off-by-default install scripts in continuous integration environments, create a cool-down period before application adoption, and enforce an organization-wide review of new package versions. Pairing these practices with a software bill of materials inventory with automated blocklists provides even better protection.

npm a continuing target

npm and other open source code repositories are targets of threat actors because, once compromised, an account can provide an easy way to spread malware.

Last week it was reported that a massive attack had compromised 18 highly popular npm packages which collectively were downloaded 2 billion times a week. In July, another hack targeted a range of npm-hosted JavaScript type testing utilities.

Advice to CISOs

From a CISO’s perspective, there are two different threats associated with this attack, Johannes Ullrich, dean of research at the SANs Institute, told CSOonline.

First, if the organization develops software internally, the CISO needs to understand that developers are targeted, and a compromised developer’s workstation can compromise the entire software supply chain. Developers and their workstations need tailored security solutions. Most out of the box solutions will not account for the special needs and threats developers face, he said.

Second, any organization consuming software needs to harden its software supply chain. This requires strong supplier relationships and monitoring, as well as an understanding of the software supply chain risk.

“Stepping back from the particular attack, it yet again demonstrates that phishing, if done right, can successfully target even technically more competent employees like developers,” Ullrich said. “CISOs must insist on implementing phishing-resistant authentication wherever possible.”

Robert Beggs, head of Canadian incident response firm Digital Defence, added that the attack is a call to ensure that GitHub instances have been hardened (removal of unnecessary applications, verification of deploy keys for all projects, GitHub Secret Scanning alerts turned on) and that monitoring is in place.

He said it also reinforces the usefulness of records such as those in a software bill of materials. “Organizations have to ensure that they are prepared to respond to future attacks, which will no doubt be more complex than the npm attack,” he said.