NPM packages are infected with malware, again
Summary
-
Shai Hulud v2 infected 500+ npm packages (700+ versions) and spread across Java/Maven – yeah.
-
The compromised packages run a preinstallation loader that downloads Bun and silently executes an obfuscated 10MB payload.
-
Payload exfiltrates environment variables (GITHUB_TOKEN, NPM_TOKEN, AWS keys), searches for secrets; C2 self-heals via GitHub.
Supply chain attacks targeting npm are not uncommon these days. It’s been a few months, but we’re back with a new attack, this one affecting over 500 packages. Yeah.
A sophisticated supply chain attack campaign dubbed “Shai Hulud v2” has compromised hundreds of packages within the npm ecosystem and has now spread to Java/Maven artifacts. The attack has already affected more than 500 packages and 700 versions, infiltrating software from major vendors including Zapier, Postman, PostHog, AsyncAPI and ENS Domains.
From what we can gather, the infection vector relies on a two-step loader designed to evade detection. Compromised packages contain a preinstallation script in their package.json file that executes a file named setup_bun.js. This script acts as a stealth loader that automatically detects the operating system and host architecture. It then locates or downloads the Bun runtime (a fast JavaScript runtime) and executes a heavy 10MB obfuscated payload called bun_environment.js. This process removes all standard output and error logs, so that malicious background processes are not detected during package installation.
It’s worth noting that the issue actually appears to be spreading across the Maven ecosystem. Researchers observed that the malicious payload was present in org.mvnpm:posthog-node, a Maven artifact automatically generated from npm packages. This confirms that automated bridging of software ecosystems can inadvertently close security vulnerabilities, allowing JavaScript-based malware to contaminate Java environments. Yeah.
The malware uses resilient “self-healing” C2 infrastructure. When it runs, it searches the public GitHub repositories for a specific tag phrase: “Sha1-Hulud: The Second Coming”. If found, the malware retrieves a hidden triple base64 encoded GitHub access token from the repository. This token is then used as the primary identifier for data exfiltration. This allows attackers to simply “reboot” the campaign by creating new repositories if previous ones are deleted, making this campaign quite resistant to removal efforts.
The main objective of the malware appears to be mass credential theft. It captures all environment variables including GITHUB_TOKEN, NPM_TOKEN, and AWS_ACCESS_KEY_ID. Additionally, it downloads and runs the TruffleHog security tool to aggressively scan the entire file system for hardcoded secrets.
If you want to know more about the ins and outs of this issue, this report goes quite in-depth.
Source: Taken
