{"id":611230,"date":"2025-09-17T09:59:00","date_gmt":"2025-09-17T07:59:00","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=611230"},"modified":"2025-09-17T16:08:35","modified_gmt":"2025-09-17T14:08:35","slug":"warning-about-data-stealer-spreading-through-software-used-by-millions-of-programmers","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/software\/611230-warning-about-data-stealer-spreading-through-software-used-by-millions-of-programmers.html","title":{"rendered":"Warning about data-stealer spreading through software used by millions of programmers"},"content":{"rendered":"\n<p>Security researchers worldwide are warning about a supply-chain attack on the Node Package Manager (NPM), where a self-replicating and credential-harvesting attack is spreading through the ecosystem.<\/p>\n\n\n\n<p>When the malware detects GitHub credentials it can abuse, it creates public repositories called \u201cShai-Hulud\u201d containing a dump of all the secrets (i.e. keys and passwords) that it harvested.<\/p>\n\n\n\n<p>Shai-Hulud is the indigenous name of the sandworms in Frank Herbert\u2019s seminal science fiction novel, Dune.<\/p>\n\n\n\n<p>In computer security, a worm is a type of self-replicating malware. It differs from a virus in that worms do not need a host system and can spread between systems and networks without user action.<\/p>\n\n\n\n<p>The worm began spreading on 16 September 2025, when malicious versions of multiple popular packages were published to NPM.<\/p>\n\n\n\n<p>NPM is a tool and registry of code packages included in the Node.js JavaScript runtime environment. It allows programmers to easily include code written by others in their projects.<\/p>\n\n\n\n<p>Owned by GitHub since 2020, NPM says more than 17 million developers worldwide rely on it. \u201cNPM is a critical part of the JavaScript community and helps support one of the largest developer ecosystems in the world.\u201d<\/p>\n\n\n\n<p>Cloud security company Wiz <a href=\"https:\/\/www.wiz.io\/blog\/shai-hulud-npm-supply-chain-attack\">explained<\/a> that the compromised NPM packages contained a post-install script that harvested and exfiltrated sensitive data.<\/p>\n\n\n\n<p>\u201cOnce a version of one of the malicious packages is installed, the included payload uses the TruffleHog secret scanning tool,\u201d said Wiz.<\/p>\n\n\n\n<p>TruffleHog identifies secrets, in addition to harvesting environment variables and IMDS-exposed cloud keys when available.<\/p>\n\n\n\n<p>\u201cBeyond data theft, the malware exhibits worm-like behaviour,\u201d Wiz stated.<\/p>\n\n\n\n<p>\u201cWhen a compromised package encounters additional npm tokens in its environment, it will automatically publish malicious versions of any packages it can access \u2014 spreading across the NPM ecosystem.\u201d<\/p>\n\n\n\n<p>Socket.dev, which specialises in defending against supply-chain attacks, <a href=\"https:\/\/socket.dev\/blog\/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages\">reported<\/a> that Shai-Hulud briefly compromised at least 25 code packages managed by CrowdStrike.<\/p>\n\n\n\n<p>CrowdStrike is a cybersecurity vendor that sells software and services to help organisations protect themselves against cyberattacks, including emergent new threats like ransomware.<\/p>\n\n\n\n<p>It made headlines last year when a malformed update sent Windows computers around the world protected by its software <a href=\"https:\/\/mybroadband.co.za\/news\/banking\/545203-what-caused-capitecs-total-blackout.html\">into a Blue Screen of Death boot loop<\/a>.<\/p>\n\n\n\n<p>The impact was widespread, with several critical sectors experiencing outages. Capitec in South Africa and several global airlines were among those affected.<\/p>\n\n\n\n<p>&#8220;After detecting several malicious packages in the public NPM registry, we swiftly removed them and proactively rotated our keys in public registries,&#8221; a CrowdStrike spokesperson told MyBroadband.<\/p>\n\n\n\n<p>&#8220;These packages are not used in the Falcon sensor and the platform is not impacted. We identified the single source and isolated it quickly, customers remain protected and do not need to take any actions.&#8221;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Linked to earlier attack on NPM<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"533\" src=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2022\/07\/Javascript-code-in-development-environment.jpg\" alt=\"\" class=\"wp-image-451528\" srcset=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2022\/07\/Javascript-code-in-development-environment.jpg 800w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2022\/07\/Javascript-code-in-development-environment-600x400.jpg 600w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2022\/07\/Javascript-code-in-development-environment-768x512.jpg 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p>In addition to the CrowdStrike-maintained code in NPM, dozens of other packages were compromised by Shai-Hulud.<\/p>\n\n\n\n<p>\u201cThis attack is a self-propagating worm,\u201d said Wiz.<\/p>\n\n\n\n<p>\u201cWhen a compromised package encounters additional NPM tokens in a victim environment, it will automatically publish malicious versions of any packages it can access.\u201d<\/p>\n\n\n\n<p>Wiz Research believes the Shai-Hulud attack is tied to the recent s1ngularity\/Nx supply chain attack, where initial GitHub token theft enabled a broader chain of compromise and leaking of formerly private repositories.<\/p>\n\n\n\n<p>While the Nx attack was not self-replicating, Wiz found that the initial npm packages that started this chain reaction included multiple known-compromised victims of the s1ngularity attack.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A secret-stealing worm called Shai-Hulud, named after the sandworms in Dune, has spread through NPM.<\/p>\n","protected":false},"author":15,"featured_media":611231,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27,16],"tags":[9149,79584,12379,101481,101483,89462,101482],"class_list":["post-611230","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-software","tag-crowdstrike","tag-node-package-manager-npm","tag-node-js","tag-shai-hulud","tag-socket-dev","tag-wiz","tag-wiz-research"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/611230"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=611230"}],"version-history":[{"count":2,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/611230\/revisions"}],"predecessor-version":[{"id":611300,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/611230\/revisions\/611300"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/611231"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=611230"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=611230"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=611230"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}