Sha1-Hulud: The Second Coming of The New npm GitHub Worm
嗯,用户让我总结一下这篇文章的内容,控制在100字以内,而且不需要特定的开头。我先快速浏览一下文章内容。 文章主要讲的是Sha1-Hulud组织对npm包发起的供应链攻击。他们通过感染npm包,植入恶意代码,当开发者更新这些包时就会被感染。这次攻击比之前更严重,增加了自毁功能和跨平台支持,还利用GitHub Actions执行远程代码。 我需要把这些关键点浓缩到100字以内。首先提到攻击对象是npm包,然后说明恶意代码如何传播,接着是新增的功能,比如自毁和跨平台支持,最后提到GitHub Actions的滥用。 确保语言简洁明了,不遗漏重要信息。可能需要调整句子结构来节省字数。比如,“植入恶意代码”可以简化为“植入恶意代码”。 最后检查一下字数是否在限制内,并确保所有关键点都被涵盖。 </think> Sha1-Hulud组织针对npm包发起供应链攻击,通过感染数千个npm包传播恶意代码。该攻击可窃取凭证、传播至其他包,并具备自毁功能及跨平台支持。此外,攻击者利用GitHub Actions实现远程代码执行。建议暂停npm更新、监控威胁并加强供应链安全措施以应对风险。 2025-12-3 14:0:3 Author: levelblue.com(查看原文) 阅读量:0 收藏

3 Minute Read

Sha1-Hulud is back with a new evolution of its supply-chain attack that targets development environments via Node Package Manager (npm). npm is a very popular package manager for Node.js that provides millions of predeveloped packages of code to be used by JavaScript developers for access to millions of packages.  

Based on current information, we confirm there has been no exposure or impact to us or our clients. As a trusted security partner, we’re on heightened alert for our clients and partners and are monitoring for any suspicious activity. Should new information arise that alters this assessment, we will provide an update directly.

This campaign trojans unsecured npm packages with malicious code that is automatically executed when developers using that package update to the trojaned version. So far, nearly 1,000 npm packages have been confirmed to be infected, which, in turn, affects tens of thousands of code repositories.

The First Campaign

Back in September 2025, Sha1-Hulud launched their first attack against npm packages. By inserting trojaned code into hundreds of unsecured npm packages, these packages were automatically “updated” locally across all development environments that relied on them. The malware had two primary components: a credential stealer and a propagation component allowing the worm behavior.

The Second Coming

The newest campaign, spotted just this week, expands on the original in several ways. In addition to the credential catcher and propagation tools, this new campaign adds a punitive “self-destruct” feature. It also adds cross-platform support, working on Linux, macOS, and Windows, and abuses GitHub Actions for remote code execution capability.

The Installation and Credential Catcher

The infected npm packages contain a preinstall script in package.json called setup_bun.js. This loader script attempts to hide its actions by pretending to install the Bun JavaScript runtime. setup_bun.js then executes bun_environment.js, an obfuscated 10MB file also embedded in the infected package.

The credential capture component searches for specific files like npm and GitHub tokens, API keys, and cloud credentials. It also uses TruffleHog to scan the system for any other useful credentials or session tokens. The malware then creates a public repository under the victim's GitHub account named "Sha1-Hulud: The Second Coming". All exfiltration files are dumped into this repository, marking the affected organization and making the files available. And not just available to threat actors, but publicly accessible to anyone.

The Worm Propagates

Another feature of Sha1-Hulud 2.0 is a propagation process to infect any new npm packages. Using npm tokens discovered during the credential capture, it will download all packages maintained by the victim. It then inserts setup_bun.js and bun_environment.js into those packages and republishes them with an incremented version number. This will trigger an automatic update for all developer environments that utilize that package.

Punitive Self-Destruct Function

If the victim discovers the compromise and attempts to cut off access to the malware, the malware will attempt to delete all files in the victim’s home directory. It doesn’t just do a simple delete either. On Windows, the malware also overwrites the disk sectors, and on Xnix systems, it uses the shred command. This makes file recovery much less likely.

Piggybacking on GitHub Actions to Execute Remote Code

Another new feature is how Sha1-Hulud 2.0 uses GitHub Actions to execute any code they want on the victim’s system. The malware creates a public repository under the victim’s account with public discussions enabled. The malware then creates a hidden directory named ~/.dev-env/, installs the GitHub Actions runner there, and uploads a malicious workflow YAML file named .github/workflows/discussion.yaml. This YAML file interprets any discussion post in the repository as a command to execute locally. Since the discussion forum is public, anyone can post in discussions something like powershell -noexit "& ""C:\My Scripts\MyEvilScript.ps1""" and have that execute on the victim’s system.

Mitigations

  • Perform ongoing threat hunting for associated IoCs to discover any active compromise, especially across your development and CI/CD systems.
  • Temporarily freeze any npm package updates until the full scope of this campaign is better known.
  • Assume that the presence of the malware suggests that all credentials on that system have been compromised, and reset credentials accordingly.
  • Revisit your supply chain security policy, including inventorying and auditing 3rd party vendors, as well as documenting the risks your organization might be at due to those relationships.

IoCs

bun_environment.js

62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0 [SHA256]
f099c5d9ec417d4445a0328ac0ada9cde79fc37410914103ae9c609cbc0ee068 [SHA256]
cbb9bc5a8496243e02f3cc080efbe3e4a1430ba0671f2e43a202bf45b05479cd [SHA256]

setup_bun.js

a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a [SHA256]

Stay Informed

Sign up to receive the latest security news and trends straight to your inbox from LevelBlue.


文章来源: https://levelblue.com/blogs/spiderlabs-blog/sha1-hulud-the-second-coming-of-the-new-npm-github-worm/
如有侵权请联系:admin#unsafe.sh