Self Propagating NPM Malware Compromises over 40 Packages
8 hours ago
- #credential-harvesting
- #npm-security
- #supply-chain-attack
- The NPM ecosystem is under a critical supply chain attack affecting the @ctrl/tinycolor package and over 40 others.
- Malware includes a self-propagating mechanism, infecting downstream packages automatically.
- Credential harvesting targets AWS, GCP, GitHub tokens, and more, using tools like TruffleHog.
- Persistence is achieved via GitHub Actions workflows, exfiltrating secrets to a C2 server.
- Indicators of compromise include specific file hashes, network endpoints, and suspicious API calls.
- Immediate actions: remove compromised packages, rotate credentials, audit cloud infrastructure.
- Security controls: monitor network traffic, harden GitHub security, implement credential rotation.
- StepSecurity offers tools like NPM Cooldown Check and Harden-Runner for detecting and preventing such attacks.