Discussion · bonfire.cafe

Making my morning rounds and I can see thath there are STILL infected packages that were already detected by cybersecurity analyst available on NPM this morning.

So I'm taking the time to go and personally message teams that haven't taken down their hacked packages.

Tracking that work with these two issues. I'm both manually spot checking the list and working on a script to automate that check. Moar PRs soon . . .

https://github.com/datapartyjs/walk-without-rhythm/issues/13

https://github.com/datapartyjs/walk-without-rhythm/issues/12

#ShaiHulud #WalkWithoutRhythm

Chris Palmer

@fugueish@wandering.shop replied · 2 weeks ago

@nullagent

GIF

nullagent

@nullagent@partyon.xyz replied · 2 weeks ago

I'm quickly finding a mix of packages which were compromised, some were months ago and had the bad versions taken down.

However at the same time I'm noticing packages like the one below that were -just- hacked 19 hours ago and still have not been taken down yet!

With how this worm works its a bit of a pencils down moment... you probably should check your packages right now.

https://www.npmjs.com/package/capacitor-voice-recorder-wav?activeTab=code

#nodejs #npm #ShaiHulud #javascript

stony kark

@aapis@mastodon.world replied · 2 weeks ago

@nullagent @blogdiva 10mb JS file?

GIF

nullagent

@nullagent@partyon.xyz replied · 2 weeks ago

Tbf it compresses down to about 2MB 🫠

@aapis @blogdiva

nullagent

@nullagent@partyon.xyz replied · 2 weeks ago

Taking a second to understand the attack rate. I constructed this query below which shows you essentially an up to date listing of developers/code that's been compromised.

Once your box is infected and PII data has been found the worm then uses your github credentials to upload that content so ANYONE can now steal your credentials.

I'm finding multiple repos being popped every minute. This is an extremely active attack right now.

https://github.com/search?q=%22Sha1-Hulud%3A+The+Second+Coming.%22&type=repositories&s=updated&o=desc

#nodejs #npm #cybersecurity #github

nullagent

@nullagent@partyon.xyz replied · 2 weeks ago

Ok I've downloaded some of the compromised packages and you can search your already downloaded node modules for possibly infected packages using this command:

find ./node_modules -type f -name "bun_environment.js"

You can check your user level node cache using:

find ~/.npm -type f -name "bun_environment.js"

Still sizing this one up but if you get any hits check and see if they are big files (around 10MB) and if so you're likely infected.

#nodejs #npm

Andres

@Andres4NY@social.ridetrans.it replied · 2 weeks ago

@nullagent npm was a great idea. A+, no notes.

nullagent

@nullagent@partyon.xyz replied · 2 weeks ago

imo.... this is all what having no 2FA turned on for your NPM and GitHub results in.

This can happen to pretty much any service where users share files and don't use 2FA.

@Andres4NY

nullagent

@nullagent@partyon.xyz replied · 2 weeks ago

I've spent the last few hours writing down my scripts for detecting this so you can use them!

I'm hitting on two or three ways to detect it and will be adding more.

Watching the attack running I can see developers all over the world still doing their morning `npm i` and getting owned 😭

Maybe let the node developers in your life know about this tool 👇🏿

https://github.com/datapartyjs/walk-without-rhythm

#ShaiHulud #WalkWithoutRhythm #nodejs #javascript #npm #github #cybersecurity

nullagent

@nullagent@partyon.xyz replied · 2 weeks ago

First pass is super simple and just looks for the file names & package.json signature for signs of infection anywhere in the path you tell it to search.

If it sees anything fishy it tells you where and stops until you've read the alert.

Oh and this only uses bash, sed, awk, grep, curl, and jq. So no npm, node or other big supply chains 🥴

https://github.com/datapartyjs/walk-without-rhythm/blob/main/check-projects

#ShalHulud #WalkWithoutRhythm #nodejs #npm #github #javascript

nullagent

@nullagent@partyon.xyz replied · 2 weeks ago

At the end of scanning for obvious compromise the `check-projects` script then builds a listing of all of your dependencies and all of the versions your project files mention.

You can find that info under `reports/`

I'm currently working on improving the `check-projects` script so that it will alert you if ANY of your package.json or package-lock.json mentions a known infected package.

#ShalHulud #WalkWithoutRhythm #npm #github #javascript #cybersecurity #threatresponse

1+ more replies (not shown)

Lady Errant

@errant@mastodon.sdf.org replied · 2 weeks ago

@nullagent I reiterate that these kinds of massive-dependency-tree package managers (npm, cargo, etc) have too large an attack surface to justify their convenience

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.1-alpha.8 no JS en

Automatic federation enabled