GitLab discovers widespread NPM supply chain attack
14 days ago
- #npm
- #supply-chain-attack
- #malware
- GitLab's Vulnerability Research team identified a large-scale supply chain attack involving a destructive malware variant spreading through the npm ecosystem.
- The malware, an evolved version of 'Shai-Hulud,' exhibits worm-like propagation behavior, automatically infecting additional packages maintained by impacted developers.
- A critical feature of the malware is a 'dead man's switch' mechanism that threatens to destroy user data if its propagation and exfiltration channels are severed.
- The malware infiltrates systems through a multi-stage loading process, using a seemingly legitimate setup_bun.js script to download the Bun runtime and execute malicious code.
- Once executed, the malware performs credential discovery across multiple sources, including GitHub tokens and npmrc files, and uses stolen tokens to create public repositories for exfiltration.
- The malware can propagate by modifying npm packages to include malicious preinstall scripts and bundling obfuscated payloads, creating a resilient botnet-like network.
- If the malware loses access to both GitHub and npm, it triggers immediate data destruction on the compromised machine, using methods like file deletion and disk overwriting.
- GitLab provides detection and response recommendations, including enabling Dependency Scanning and using GitLab Duo Chat for rapid exposure checks.
- The attack represents an evolution in supply chain attacks, leveraging the threat of collateral damage to protect its infrastructure.