Shai-Hulud compromised a dev machine and raided GitHub org access: a post-mortem
https://trigger.dev/blog/shai-hulud-postmortem
#HackerNews #ShaiHulud #GitHub #Security #DevOps #PostMortem #CyberSecurity
heise online
boosted
Podcast "Passwort" 46: News von Würmern, Schluckauf und Husten
Die Jahreszeit erzeugt auch in der Security-Branche allerlei Malaisen: Cloudflare verschluckt sich bös, NPM hat wieder Wurmbefall – und Christopher hustet.
#IT #JavaScript #Journal #Malware #PasswortPodcast #Podcast #Security #ShaiHulud #news
Podcast "Passwort" 46: News von Würmern, Schluckauf und Husten
Die Jahreszeit erzeugt auch in der Security-Branche allerlei Malaisen: Cloudflare verschluckt sich bös, NPM hat wieder Wurmbefall – und Christopher hustet.
#IT #JavaScript #Journal #Malware #PasswortPodcast #Podcast #Security #ShaiHulud #news
nullagent
and 1 other
boosted
I've spent the last few hours writing down my scripts for detecting this so you can use them!
I'm hitting on two or three ways to detect it and will be adding more.
Watching the attack running I can see developers all over the world still doing their morning `npm i` and getting owned 😭
Maybe let the node developers in your life know about this tool 👇🏿
https://github.com/datapartyjs/walk-without-rhythm
#ShaiHulud #WalkWithoutRhythm #nodejs #javascript #npm #github #cybersecurity
nullagent
and 1 other
boosted
#Breaking There's an active nodejs supply chain attack going around.
From the looks of it many of these compromised packages have been mitigated but quite a few have not.
https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24
#nodejs #cybersecurity #aws #github #npm #trufflehog #go #cyberattack #ShaiHulud #javascript #deno #browser #Sha1Hulud
Post-mortem of Shai-Hulud attack on November 24th, 2025
https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem
#HackerNews #PostMortem #ShaiHulud #Attack2025 #CyberSecurity #TechNews #Analysis
nullagent
boosted
I'm quickly finding a mix of packages which were compromised, some were months ago and had the bad versions taken down.
However at the same time I'm noticing packages like the one below that were -just- hacked 19 hours ago and still have not been taken down yet!
With how this worm works its a bit of a pencils down moment... you probably should check your packages right now.
https://www.npmjs.com/package/capacitor-voice-recorder-wav?activeTab=code
Making my morning rounds and I can see thath there are STILL infected packages that were already detected by cybersecurity analyst available on NPM this morning.
So I'm taking the time to go and personally message teams that haven't taken down their hacked packages.
Tracking that work with these two issues. I'm both manually spot checking the list and working on a script to automate that check. Moar PRs soon . . .
https://github.com/datapartyjs/walk-without-rhythm/issues/13
https://github.com/datapartyjs/walk-without-rhythm/issues/12
Checking back in on my GitHub query and the stolen data is STILL showing up on github.
I can tell github looks to be deleting the repos a -little- bit faster than they are created. There's still over 15k repos full of stolen credentials and PII available for public download.
I've also noticed some new behavior I hadn't seen before where the worm is now making commits look like Linus Torvalds wrote them. Clearly a delay tactic.
If time is money and helping the community is good, then this almost completely broke and emotionally damaged open source nerd would dearly appreciate some donations so I can stay focused on helping untangle this worm.
Was planning to spend this week on a mad dash to get my latest apps shipped by turkey day(to you know, make money) but instead I'm doing worm mitigation 😭
https://ko-fi.com/nullagent
https://ko-fi.com/dataparty
#cybersecurity #incidentresponse #ShalHulud #WalkWithoutRhythm
Making my morning rounds and I can see thath there are STILL infected packages that were already detected by cybersecurity analyst available on NPM this morning.
So I'm taking the time to go and personally message teams that haven't taken down their hacked packages.
Tracking that work with these two issues. I'm both manually spot checking the list and working on a script to automate that check. Moar PRs soon . . .
https://github.com/datapartyjs/walk-without-rhythm/issues/13
https://github.com/datapartyjs/walk-without-rhythm/issues/12
Ok I've downloaded some of the compromised packages and you can search your already downloaded node modules for possibly infected packages using this command:
find ./node_modules -type f -name "bun_environment.js"
You can check your user level node cache using:
find ~/.npm -type f -name "bun_environment.js"
Still sizing this one up but if you get any hits check and see if they are big files (around 10MB) and if so you're likely infected.
I've spent the last few hours writing down my scripts for detecting this so you can use them!
I'm hitting on two or three ways to detect it and will be adding more.
Watching the attack running I can see developers all over the world still doing their morning `npm i` and getting owned 😭
Maybe let the node developers in your life know about this tool 👇🏿
https://github.com/datapartyjs/walk-without-rhythm
#ShaiHulud #WalkWithoutRhythm #nodejs #javascript #npm #github #cybersecurity
#Breaking There's an active nodejs supply chain attack going around.
From the looks of it many of these compromised packages have been mitigated but quite a few have not.
https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24
#nodejs #cybersecurity #aws #github #npm #trufflehog #go #cyberattack #ShaiHulud #javascript #deno #browser #Sha1Hulud
I'm quickly finding a mix of packages which were compromised, some were months ago and had the bad versions taken down.
However at the same time I'm noticing packages like the one below that were -just- hacked 19 hours ago and still have not been taken down yet!
With how this worm works its a bit of a pencils down moment... you probably should check your packages right now.
https://www.npmjs.com/package/capacitor-voice-recorder-wav?activeTab=code
#Breaking There's an active nodejs supply chain attack going around.
From the looks of it many of these compromised packages have been mitigated but quite a few have not.
https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24
#nodejs #cybersecurity #aws #github #npm #trufflehog #go #cyberattack #ShaiHulud #javascript #deno #browser #Sha1Hulud