No items found.
September 19, 2025
·
0
Minutes Read

Supply Chain Attack Targeting Several NPM Packages to Harvest Credentials

Advisory
September 19, 2025
·
0
Minutes Read

Supply Chain Attack Targeting Several NPM Packages to Harvest Credentials

This is some text inside of a div block.
This is some text inside of a div block.
·
0
Minutes Read
Kudelski Security Team
Find out more
table of contents
Share on
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Summary

A coordinated supply chain attack has compromised more than 40 NPM packages, including several published under the CrowdStrike publisher account.

The attack works by injecting a malicious script, bundle.js, into selected packages. The injection process involves downloading a package tarball, modifying its package.json to include the malicious script, then repackaging and publishing the trojanized version.

The malware specifically targets the following systems to harvest credentials:

  • GitHub personal access tokens
  • AWS access keys (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
  • Google Cloud Platform service credentials
  • Azure credentials
  • Cloud metadata endpoints
  • NPM authentication tokens

Regarding the affected packages these were quickly removed by the npm registry.

It is important to note that, In the case of CrowdStrike-affected packages, the malicious versions were also removed, and a monitoring alert has been issued. CrowdStrike is actively watching the sitaution.

Affected Systems and/or Applications

The attack primarily targets the following NPM packages.

Regarding CrowdStrike npm packages, they have issued a Tech Alert named NPM Package in Public Registries:

"After detecting several malicious Node Package Manager (NPM) packages in the public PM registry, a third-party open source repository, we swiftly removed them and proactively rotated our keys in public registries. These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected. We are working with NPM and conducting a thorough investigation. This tech alert will be updated with the results of our investigation and updates as we have them."

Below is the affected list. These were publised under crowdstrike-publisher npm account.

  • @crowdstrike/commitlint8.1.1
  • @crowdstrike/commitlint8.1.2
  • @crowdstrike/falcon-shoelace0.4.2
  • @crowdstrike/foundry-js0.19.2
  • @crowdstrike/glide-core0.34.2
  • @crowdstrike/glide-core0.34.3
  • @crowdstrike/logscale-dashboard1.205.2
  • @crowdstrike/logscale-file-editor1.205.2
  • @crowdstrike/logscale-parser-edit1.205.1
  • @crowdstrike/logscale-parser-edit1.205.2
  • @crowdstrike/logscale-search1.205.2
  • @crowdstrike/tailwind-toucan-base5.0.2
  • browser-webdriver-downloader3.0.8
  • ember-browser-services5.0.3
  • ember-headless-form-yup1.0.1
  • ember-headless-form1.1.3
  • ember-headless-table2.1.6
  • ember-url-hash-polyfill1.0.13
  • ember-velcro2.2.2
  • eslint-config-crowdstrike-node4.0.4
  • eslint-config-crowdstrike11.0.3
  • monorepo-next13.0.2
  • remark-preset-lint-crowdstrike4.0.2
  • verror-extra6.0.1
  • yargs-help-output5.0.3

Technical Details

1. Package Compromise / Injection

  • a popular package is modi!ed to include a large mini!ed JavaScript bundle often named bundle.js. This is done via a hijacked postinstall script in the package’s package.json. The script causes execution of that bundle during npm install.

2. Reconnaissance & Environment Pro!ling

  • Once executed, the malware first checks the operating system. It collects environment variables (process.env) including tokens, credentials, etc.

3. Secret / Credential Harvesting

  • Downloads and executes TruffeHog, a legitimate secret scanner.
  • TruffeHog scans filesystem for high-entropy strings (e.g. AWS keys, other secrets).
  • Use of cloud provider APIs / SDKs to list & retrieve secrets: AWS Secrets, GCP Secret Manager
  • Capturing NPM authentication tokens, GitHub tokens, environment variables etc.StepSecurity

4. Propagation / Lateral Movement in NPM

  • The malware identifies other packages owned by the same maintainer (via NPM registry API) and forces patch-publishing of those packages, injecting the malicious code there. This enables a cascading compromise.

5. Persistence via GitHub Actions Backdoor

  • The attack introduces unauthorized GitHub Actions workflows into repositories, via creating a malicious work$ow !le. This work$ow triggers on pushes, captures repository secrets and exfiltrates them to a hard-coded webhook or C2.

6. Data Exfiltration

  • The collected secrets, credentials, environment data, cloud secrets etc. are packed into JSON payloads. Then exfiltrated either directly (via HTTP/S POST to webhook) or by creating public GitHub repositories (e.g. Shai-Hulud) via GitHub’s API.

Mitigation

To reduce risk from the ongoing NPM supply chain attacks, including those impersonating CrowdStrike packages, implement the following mitigation strategies:

1. Rotate All Tokens & Keys:

  • NPM publish tokens, GitHub access tokens, cloud provider keys, SSH keys etc., especially if those machines installed compromised packages.

2. Lock or Pin Package Versions:

  • Use known-good versions; prevent automatic uptake of newly published versions until they are verified.
  • Use NPM Package Cooldown Check

3. Inspect Postinstall / Preinstall Scripts:

  • In CI/CD or during review, scan for suspicious install / postinstall scripts especially ones that download or execute external code or spawn child processes.
  • Use tools such as Artifact Monitor to check software Artifacts.

4. Monitor NPM Publish Events:

  • Alert on unusual publishing activity from critical namespaces force publishes, publishes outside known CI, or from unexpected IP addresses.

5. Audit Cloud & Secret Manager Access Logs:

  • For example, check for ListSecrets, GetSecretValue, BatchGetSecretValue events during the timeframe when compromised versions may have been installed.
  • Aws Security Audit:
    • # Check CloudTrail for suspicious secret access
    • aws cloudtrail lookup-events --lookup-attributes
    • AttributeKey=EventName,AttributeValue=BatchGetSecretValue
    • aws cloudtrail lookup-events --lookup-attributes
    • AttributeKey=EventName,AttributeValue=ListSecrets
    • aws cloudtrail lookup-events --lookup-attributes
    • AttributeKey=EventName,AttributeValue=GetSecretValue
    • # Review IAM credential reports for unusual activity
    • aws iam get-credential-report --query 'Content'
  • GCP Security Audit:
    • # Review secret manager access logs
    • gcloud logging read "resource.type=secretmanager.googleapis.com" --limit=50 --format=json
    • # Check for unauthorized service account key creation
    • gcloud logging read "protoPayload.methodName=google.iam.admin.v1.CreateServiceAccountKey"

6. Check for Malicious GitHub Work"ows / Branches:

  • Search across org(s) for the shai-hulud branch, and work$ow !les with names like shai-hulud-workflow.yml. Remove them and rotate any repository secrets exposed.

7. Implement Least Privilege in CI/CD & Developer Environments:

  • Reduce what environment variables are exposed; limit permissions for tokens; use ephemeral credentials; ensure machine accounts have minimal rights.

Indicators of Compromise

The following indicators can help identify systems affected by this attack:

Search for malicious workflow file

  • Replace ACME with your GitHub organization name and use the following GitHub search query to discover all instance of shai-hulud-workflow.yml in your GitHub environment. https://github.com/search?q=org%3AACME+path%3A**%2Fshai-hulud-work$ow.yml&type=code

Search for malicious branch. To find malicious branches, you can use the following Bash script:

# List all repos and check for shai-hulud branch
gh repo list YOUR_ORG_NAME --limit 1000 --json nameWithOwner --jq '.
[].nameWithOwner' | while read repo; do
gh api "repos/$repo/branches" --jq '.[] | select(.name == "shai-hulud") |
"'$repo' has branch: " + .name'
done

File Hashes

  • bundle.js SHA-256: 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09

Network Indicators

  • Exfiltration endpoint: https://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7

File System Indicators

  • Presence of malicious work$ow !le: .github/work$ows/shai-hulud-workflow.yml

Suspicious Function Calls

  • Calls to NpmModule.updatePackage function

Suspicious API Calls

  • AWS API calls to secretsmanager.*.amazonaws.com endpoints, particularly BatchGetSecretValueCommand
  • GCP API calls to secretmanager.googleapis.com
  • NPM registry queries to registry.npmjs.org/v1/search
  • GitHub API calls to api.github.com/repos

Suspicious Process Executions

  • TruffleHog execution with arguments !lesystem /
  • NPM publish commands with --force flag
  • Curl commands targeting webhook.site domains

What the Cyber Fusion Center is Doing

The CFC has launched a threat hunting campaign. The objective of this hunt is to identify artifacts and indicators related to the "Shai-Hulud" worm.

References

https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised

https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages

https://www.stepsecurity.io/blog/introducing-the-npm-package-cooldown-check

https://docs.stepsecurity.io/artifact-monitor

Related Post
September 17, 2025
Security Advisory:
September 17, 2025
Kudelski Security Team

Inside a MuddyWater Intrusion: Exploitation of SharePoint and Living-Off-the-Land Tactics

September 9, 2025
Security Advisory:
September 9, 2025
Kudelski Security Team

NPM Supply Chain Attack

July 23, 2025
Security Advisory:
July 23, 2025
Kudelski Security Team

Microsoft SharePoint On-Premise Vulnerability (CVE-2025-53770) Under Active Exploitation