Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Responding to npm pa ...

 Business

On the evening of September 15, a new attack against the most popular JavaScript component — npm — began.  A number of packages — some with millions of weekly downloads — were infected with malicious code that steals tokens and authentication keys. Its most interesting feature is that it is able to spread   show more ...

automatically — infecting other nmp packages. Among the infected packages is the popular @ctrl/tinycolor. According to Aikido Security, almost 150 packages have been compromised — including Crowdstrike packages. Propagation methodology The method of the first infection and patient zero are currently unknown. Since the attack pattern is very similar to the recent s1ngularity incident, it may have been phishing as well. But the further chain of infection is as follows: Malicious code is added to compromised packages in the form of a post-installation script saved in the bundle.js file. When the victim installs the infected package, the script runs. Unlike the previous incident, the script is cross-platform and works in both *nix and Windows environments. The script downloads a platform-appropriate version of TruffleHog, a legitimate secret-finding tool. TruffleHog finds high-entropy strings in local file systems and available repositories. These are cryptographic keys, API tokens, and other such information. In addition to searching through TruffleHog, the script validates useful tokens by analyzing environment variables such as GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. It then checks if they are valid by querying the npm whoami and GitHub user API-endpoints. The script then compromises npm packages to which the attacked user has access with publishing rights. To do this, it downloads the current version of the infected package from npm, increments the subversion by 1, adds a link to the postinstall hook, and writes its copy to the bundle.js file. Then the trojanized new version of the package is published to npm. Then it marks the victims repositories as public ones, which is sometimes a separate, more important leak. Publishing stolen data Extracting the harvested secrets is done in two ways at the same time: Through the GitHub repository. Malware creates a public Shai-Hulud repository on behalf of the victim and with their GitHub token. Then it uploads a JSON file with the collected secrets and system information to this repository. Via GitHub actions. The script creates a new GitHub workflow (github/workflows/shai-hulud-workflow.yml) that encodes the collected secrets into JSON and transmits to the attackers webhook[.]site server. Incident Response The infection of the tinycolor package and dozens of others became known on the night of September 15-16, and by morning the npm administration had already started to respond by rolling back the infected packages to their clean versions. The history of processed packages does not show the malicious version at all, but the fact that it existed can be found in GitHub bulletins. Judging by the fact that thereve been no new bulletins for five hours at the time of writing, the large-scale incident could be considered over. But given that were dealing with a worm, it could start all over again — unless npm blocks the publication of specific malicious files. Those who managed to download the infected packages are advised to: rollback to safe versions of packages, and clearing the npm cache; audit CI/CD Pipeline and developer computers for unauthorized changes; analyze logs to identify suspicious accesses to npm publish; replace all NPM, GitHub, AWS, GCP and Azure keys and tokens that were available in the affected environment. Kaspersky solutions detect this threat with the verdict Worm.Script.Shulud.*. The most complete list of affected packages can be found on GitHub.

image for Self-Replicating Wor ...

 Latest Warnings

At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike,   show more ...

steals and publishes even more credentials every time an infected package is installed. Image: https://en.wikipedia.org/wiki/Sandworm_(Dune) The novel malware strain is being dubbed Shai-Hulud — after the name for the giant sandworms in Frank Herbert’s Dune novel series — because it publishes any stolen credentials in a new public GitHub repository that includes the name “Shai-Hulud.” “When a developer installs a compromised package, the malware will look for a npm token in the environment,” said Charlie Eriksen, a researcher for the Belgian security firm Aikido. “If it finds it, it will modify the 20 most popular packages that the npm token has access to, copying itself into the package, and publishing a new version.” At the center of this developing maelstrom are code libraries available on NPM (short for “Node Package Manager”), which acts as a central hub for JavaScript development and provides the latest updates to widely-used JavaScript components. The Shai-Hulud worm emerged just days after unknown attackers launched a broad phishing campaign that spoofed NPM and asked developers to “update” their multi-factor authentication login options. That attack led to malware being inserted into at least two-dozen NPM code packages, but the outbreak was quickly contained and was narrowly focused on siphoning cryptocurrency payments. Image: aikido.dev In late August, another compromise of an NPM developer resulted in malware being added to “nx,” an open-source code development toolkit with as many as six million weekly downloads. In the nx compromise, the attackers introduced code that scoured the user’s device for authentication tokens from programmer destinations like GitHub and NPM, as well as SSH and API keys. But instead of sending those stolen credentials to a central server controlled by the attackers, the malicious nx code created a new public repository in the victim’s GitHub account, and published the stolen data there for all the world to see and download. Last month’s attack on nx did not self-propagate like a worm, but this Shai-Hulud malware does and bundles reconnaissance tools to assist in its spread. Namely, it uses the open-source tool TruffleHog to search for exposed credentials and access tokens on the developer’s machine. It then attempts to create new GitHub actions and publish any stolen secrets. “Once the first person got compromised, there was no stopping it,” Aikido’s Eriksen told KrebsOnSecurity. He said the first NPM package compromised by this worm appears to have been altered on Sept. 14, around 17:58 UTC. The security-focused code development platform socket.dev reports the Shai-Halud attack briefly compromised at least 25 NPM code packages managed by CrowdStrike. Socket.dev said the affected packages were quickly removed by the NPM registry. In a written statement shared with KrebsOnSecurity, CrowdStrike said that after detecting several malicious packages in the public NPM registry, the company swiftly removed them and rotated its keys in public registries. “These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected,” the statement reads, referring to the company’s widely-used endpoint threat detection service. “We are working with NPM and conducting a thorough investigation.” A writeup on the attack from StepSecurity found that for cloud-specific operations, the malware enumerates AWS, Azure and Google Cloud Platform secrets. It also found the entire attack design assumes the victim is working in a Linux or macOS environment, and that it deliberately skips Windows systems. StepSecurity said Shai-Hulud spreads by using stolen NPM authentication tokens, adding its code to the top 20 packages in the victim’s account. “This creates a cascading effect where an infected package leads to compromised maintainer credentials, which in turn infects all other packages maintained by that user,” StepSecurity’s Ashish Kurmi wrote. Eriksen said Shai-Hulud is still propagating, although its spread seems to have waned in recent hours. “I still see package versions popping up once in a while, but no new packages have been compromised in the last ~6 hours,” Eriksen said. “But that could change now as the east coast starts working. I would think of this attack as a ‘living’ thing almost, like a virus. Because it can lay dormant for a while, and if just one person is suddenly infected by accident, they could restart the spread. Especially if there’s a super-spreader attack.” For now, it appears that the web address the attackers were using to exfiltrate collected data was disabled due to rate limits, Eriksen said. Nicholas Weaver is a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif. Weaver called the Shai-Hulud worm “a supply chain attack that conducts a supply chain attack.” Weaver said NPM (and all other similar package repositories) need to immediately switch to a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method. “Anything less means attacks like this are going to continue and become far more common, but switching to a 2FA method would effectively throttle these attacks before they can spread,” Weaver said. “Allowing purely automated processes to update the published packages is now a proven recipe for disaster.”

image for Emerging Yurei Ranso ...

 Feed

The cybercrime group, named after Japanese ghosts but believed to be from Morocco, uses a modified version of the Prince-Ransomware binary that includes a flaw allowing for partial data recovery. However, an extortion threat remains.

 Cybercrime

The measure from the House Appropriations Committee would extend the life of the 2015 Cybersecurity Information Sharing Act (CISA 2015) and the State and Local Cybersecurity Grant Program — both of which are slated to expire September 30 — until November 21.

 Feed

Cybersecurity researchers have flagged a fresh software supply chain attack targeting the npm registry that has affected more than 40 packages that belong to multiple maintainers. "The compromised versions include a function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local script (bundle.js), repacks the archive, and republishes it, enabling

 Feed

A team of academics from ETH Zürich and Google has discovered a new variant of a RowHammer attack targeting Double Data Rate 5 (DDR5) memory chips from South Korean semiconductor vendor SK Hynix. The RowHammer attack variant, codenamed Phoenix (CVE-2025-6202, CVSS score: 7.1), is capable of bypassing sophisticated protection mechanisms put in place to resist the attack. "We have proven that

 Feed

Cybersecurity researchers have warned of a new campaign that's leveraging a variant of the FileFix social engineering tactic to deliver the StealC information stealer malware. "The observed campaign uses a highly convincing, multilingual phishing site (e.g., fake Facebook Security page), with anti-analysis techniques and advanced obfuscation to evade detection," Acronis security researcher Eliad

 Feed

Apple on Monday backported fixes for a recently patched security flaw that has been actively exploited in the wild. The vulnerability in question is CVE-2025-43300 (CVSS score: 8.8), an out-of-bounds write issue in the ImageIO component that could result in memory corruption when processing a malicious image file. "Apple is aware of a report that this issue may have been exploited in an

 Feed

AI agents are rapidly becoming a core part of the enterprise, being embedded across enterprise workflows, operating with autonomy, and making decisions about which systems to access and how to use them. But as agents grow in power and autonomy, so do the risks and threats.  Recent studies show 80% of companies have already experienced unintended AI agent actions, from unauthorized system

 Feed

Cybersecurity researchers have disclosed multiple critical security vulnerabilities in Chaos Mesh that, if successfully exploited, could lead to cluster takeover in Kubernetes environments. "Attackers need only minimal in-cluster network access to exploit these vulnerabilities, execute the platform's fault injections (such as shutting down pods or disrupting network communications), and perform

 Feed

A massive ad fraud and click fraud operation dubbed SlopAds ran a cluster of 224 apps, collectively attracting 38 million downloads across 228 countries and territories. "These apps deliver their fraud payload using steganography and create hidden WebViews to navigate to threat actor-owned cashout sites, generating fraudulent ad impressions and clicks," HUMAN’s Satori Threat Intelligence and

 AI

In episode 68 of The AI Fix, our hosts open the show by launching the thing nobody asked for but everybody wanted: our shiny new merch store - yes, including the “Would YOU trust a pigeon???” t-shirt for when you need fashion alongside health and safety. Meanwhile, AI hoaxers send Manila firefighters racing to an   show more ...

imaginary blaze, Albania appoints an AI as a minister, and the godfather of AI gets dumped... by ChatGPT. Plus Mark shows off his ventriloquism skills, while Graham describes a near-telepathic wearable that lets you “talk” without moving your lips, and we look into how humanity and AI has joined forces to fight for AI rights. All this and much more is discussed in the latest edition of "The AI Fix" podcast by Graham Cluley and Mark Stockley.

2025-09
Aggregator history
Tuesday, September 16
MON
TUE
WED
THU
FRI
SAT
SUN
SeptemberOctoberNovember