In early 2024, researchers from Tenable’s Security Response Team (SRT) identified a new Node Package Manager (npm) supply-chain campaign named Sha1-Hulud 2.0. This campaign is a continuation of a similar attack first observed in late 2023. The malicious packages were designed to exfiltrate sensitive information from developer systems upon installation.

How Does the Sha1-Hulud 2.0 Campaign Operate?

The campaign involved the publication of multiple malicious packages to the official npm registry. These packages contained heavily obfuscated JavaScript code intended to execute automatically after a developer installed them using the `npm install` command. The primary function of the malicious code was to steal specific files from the compromised system.

The code specifically targeted the /etc/passwd file, which contains user account information, and the ~/.bash_history file, which logs commands executed by the user. After collecting the contents of these files, the script transmitted the data to a remote command and control (C2) server controlled by the attacker.

Key Characteristics and Discovery of the Attack

The name “Sha1-Hulud” was given by researchers because the threat actor used SHA-1 hashes of names from the science fiction novel “Dune” within their code. The “2.0” designation marks this as the second observed iteration of the campaign. Tenable’s investigation identified at least 16 distinct malicious packages associated with this attack wave.

To evade detection, the attackers employed significant code obfuscation, splitting the malicious logic across multiple files and using techniques like hex encoding. Following the discovery, Tenable reported the packages to the npm security team, who took action to remove them from the public registry to prevent further installations.

Source: https://www.tenable.com/blog/faq-about-sha1-hulud-2-0-the-second-coming-of-the-npm-supply-chain-campaign