SHA1-Hulud the Second Comming – Postman, Zapier, PostHog All Compromised via NPM
5 hours ago
- #npm
- #supply-chain-attack
- #malware
- Shai-Hulud is a self-replicating npm worm that spreads through compromised developer environments, exfiltrating secrets like API keys and tokens.
- The 'Second Coming' wave of Shai-Hulud attacks occurred just before npm's deadline for revoking old tokens, affecting 492 packages with 132 million monthly downloads.
- Key differences in this attack include the use of bun for execution, random GitHub repository names for stolen data, and the potential to infect up to 100 npm packages.
- Compromised packages include major ones from AsyncAPI, PostHog, Postman, Zapier, and ENS, among others.
- The malware publishes stolen secrets to GitHub with the repository description 'Sha1-Hulud: The Second Coming,' with 26.3k repositories currently exposed.
- Security teams should audit dependencies, rotate secrets, check for strange GitHub repos, disable npm postinstall scripts in CI, and enforce MFA on accounts.
- Mistakes by the attackers, such as not bundling the worm in some packages, may have limited the attack's impact.