{"id":4884,"date":"2025-09-16T19:58:45","date_gmt":"2025-09-16T19:58:45","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4884"},"modified":"2025-09-16T19:58:45","modified_gmt":"2025-09-16T19:58:45","slug":"warning-hackers-have-inserted-credential-stealing-code-into-some-npm-libraries","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4884","title":{"rendered":"Warning: Hackers have inserted credential-stealing code into some npm libraries"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Dozens of npm libraries, including a color library with over 2 million downloads a week, have been replaced with novel self-replicating credential-stealing code in yet another wave of a supply chain attack that again stresses the need for contributors to open source repositories to better protect their login credentials from being hacked.<\/p>\n

Developers who use open source code are urged to check their GitHub accounts now to make sure they haven\u2019t downloaded this malware.<\/p>\n

\u2018Not just another bad day\u2019<\/h2>\n

This represents \u201ca major escalation in npm ecosystem threats,\u201d said researchers at Step Security.<\/p>\n

The malware self-propagates across maintainer packages, harvests AWS\/GCP\/Azure credentials using TruffleHog and establishes persistence through GitHub Actions backdoors, they said.<\/p>\n

\u201cThis is not just another bad day on npm,\u201d added Tomislav Pericin<\/a>, chief software architect at ReversingLabs. \u201cThis is a new frontier of self-replicating malware in open source.\u201d<\/p>\n

Researchers at Socket<\/a> and at Ox Security noted that multiple packages published in npm by security vendor Crowdstrike were among those compromised.<\/p>\n

By now, affected libraries have been removed by the npm registry. But the risk is that app developers have already included the malware in their software, which then spreads to hundreds or thousands of users.<\/p>\n

More than 40 packages affected<\/h2>\n

One of the researchers who found and flagged the hack Monday was French developer Fran\u00e7ois Best<\/a>, and it was also described in blogs from StepSecurity<\/a>, Socket<\/a>, ReversingLabs<\/a> and Ox Security<\/a>. These blogs contain a full list of compromised packages and indicators of compromise.<\/p>\n

Researchers at Israel-based Ox Security\u00a0said there was a brief time window of only a few hours before the malware was discovered and blocked. During that period, however, it could have been downloaded by unwitting developers.\u00a0<\/p>\n

According to researchers, attackers trojanized over 40 packages in npm including:<\/p>\n

ctrl\/tinycolor versions 4.1.1 and 4.1.2. It\u2019s a lightweight JavaScript library and API that helps developers customize color in their apps, popular enough that it is downloaded more than 2 million times a week;<\/p>\n

ngx-bootstrap (300,000 weekly downloads);<\/p>\n

ng2-file-upload (100,000 weekly downloads).\u00a0<\/p>\n

If developers have downloaded any of the affected libraries in the past few days, they should remove those versions and rebuild from a clean cache\/artifact source. In addition they should rotate\/revoke and replace credentials used on any affected machine.<\/p>\n

In particular, GitHub users should look for and remove a new repo named \u201cShai-Hulud.\u201d<\/p>\n

Malware repo found in compromised accounts<\/h2>\n

In an interview, Ox Security researcher Moshe Siman Tov Bustan<\/a> said he assumed that one developer who contributes to npm fell for a phishing lure, which led to their credentials being stolen.<\/p>\n

He described the malware as \u201cvery bad\u201d because it steals credentials for AWS, Google Cloud, and Azure.<\/p>\n

He said that Ox Security has found 34 compromised GitHub accounts which contain the Shai-Hulud repository. Inside it is a file called \u201cdata.json\u201d containing all of the compromised information the attacker uploaded to the victim\u2019s GitHub account.<\/p>\n

He advised development teams to start enforcing hardware-based two-factor authentication to make it tougher to steal a developer\u2019s credentials, to create short-lived tokens, enforce off-by-default install scripts in continuous integration environments, create a cool-down period before application adoption, and enforce an organization-wide review of new package versions. Pairing these practices with a software bill of materials<\/a> inventory with automated blocklists provides even better protection.<\/p>\n

npm a continuing target<\/h2>\n

npm and other open source code repositories are targets of threat actors because, once compromised, an account can provide an easy way to spread malware.<\/p>\n

Last week it was reported that a massive attack had compromised 18 highly popular npm packages<\/a> which collectively were downloaded 2 billion times a week. In July, another hack targeted a range of npm-hosted JavaScript type testing utilities.<\/a><\/p>\n

Advice to CISOs<\/h2>\n

From a CISO\u2019s perspective, there are two different threats associated with this attack, Johannes Ullrich<\/a>, dean of research at the SANs Institute, told CSOonline.<\/p>\n

First, if the organization develops software internally, the CISO needs to understand that developers are targeted, and a compromised developer\u2019s workstation can compromise the entire software supply chain. Developers and their workstations need tailored security solutions. Most out of the box solutions will not account for the special needs and threats developers face, he said.<\/p>\n

Second, any organization consuming software needs to harden its software supply chain. This requires strong supplier relationships and monitoring, as well as an understanding of the software supply chain risk.<\/p>\n

\u201cStepping back from the particular attack, it yet again demonstrates that phishing, if done right, can successfully target even technically more competent employees like developers,\u201d Ullrich said. \u201cCISOs must insist on implementing phishing-resistant authentication wherever possible.\u201d<\/p>\n

Robert Beggs<\/a>, head of Canadian incident response firm Digital Defence, added that the attack is a call to ensure that GitHub instances have been hardened (removal of unnecessary applications, verification of deploy keys for all projects, GitHub Secret Scanning alerts turned on) and that monitoring is in place.<\/p>\n

He said it also reinforces the usefulness\u00a0of records such as those in a software bill of materials. \u201cOrganizations have to ensure that they are prepared to respond to future attacks, which will no doubt be more complex than the npm attack,\u201d he said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Dozens of npm libraries, including a color library with over 2 million downloads a week, have been replaced with novel self-replicating credential-stealing code in yet another wave of a supply chain attack that again stresses the need for contributors to open source repositories to better protect their login credentials from being hacked. Developers who use […]<\/p>\n","protected":false},"author":0,"featured_media":4885,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4884","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4884"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4884"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4884\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4885"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4884"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4884"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4884"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}