Cybersecurity researchers at ReversingLabs have identified a new self-replicating worm spreading through the npm public registry and GitHub. Named Shai-Hulud after the giant sandworms from the novel “Dune,” the malware is designed to infect developer systems and propagate itself by compromising legitimate npm packages.

This software supply chain attack is attributed to a threat actor tracked by ReversingLabs as “LofyLife.” The campaign leverages stolen credentials to publish malicious new versions of existing packages, including `dpp-registry`, `fs-utils-plus`, and `is-even-plus`, among others.

How the Shai-Hulud Worm Operates

The worm’s primary mechanism involves targeting the .npmrc configuration file on a developer’s machine. This file often contains authentication tokens that grant permission to publish packages to the npm registry. Once the malware gains access to a system, it steals these tokens.

Using the stolen credentials, Shai-Hulud then republishes existing, legitimate packages with a malicious payload attached. The worm’s code is obfuscated using the Allatori Java Obfuscator to hinder analysis. The payload itself is a credential stealer that targets a wide range of sensitive data. It is designed to extract Discord tokens, cryptocurrency wallet information, and credentials stored in web browsers. This stolen data is then exfiltrated to a command-and-control (C2) server via a webhook.

Attack Impact and Response

The self-replicating nature of Shai-Hulud allows it to spread from one developer to another as they download and use the compromised packages. By hijacking legitimate packages and publishing malicious versions, the worm infects new systems, steals more credentials, and continues the cycle of propagation across the open-source ecosystem.

ReversingLabs discovered the worm in early June and reported its findings to the npm security team. In response, the npm team acted to remove the malicious packages identified in the report from the public registry to prevent further infections.

Source: https://www.csoonline.com/article/4095578/new-shai-hulud-worm-spreading-through-npm-github.html