A self-propagating supply chain attack has compromised at least 187 npm packages, beginning with the popular @ctrl/tinycolor library, which receives over two million weekly downloads. The campaign, dubbed “Shai-Hulud,” uses a worm-like mechanism to infect additional packages under the same maintainer by modifying their code and republishing them. Among the affected packages are several published under CrowdStrike’s npm namespace, though the company confirmed its core platform remains secure.
The malware injects a script that abuses TruffleHog, a legitimate secret-scanning tool, to steal sensitive credentials like API keys and tokens from developer environments. It also creates unauthorized GitHub Actions workflows and exfiltrates stolen data to a remote server. This incident is the latest in a series of high-profile software supply chain attacks, following recent campaigns such as “s1ngularity.”
Researchers suspect the same threat actors may be behind both attacks, highlighting the growing sophistication and scale of such operations. The broader software ecosystem is affected through deep dependency chains, potentially impacting major projects like Google’s Gemini CLI. Developers are urged to audit their environments, rotate exposed secrets, and pin dependencies to trusted versions to mitigate risks. This attack underscores the critical vulnerabilities within open-source software distribution and the urgent need for stronger safeguards.
Read more...