#Tag · bonfire.cafe

nullagent boosted

nullagent

@nullagent@partyon.xyz · 2 months ago

Just finished writing another tool, now I can see NINE known compromised packages are still up for download on NPM! ⚠️

This tool crawls the list of known bad packages and downloads the latest bundle.

It then runs my other checks against the downloaded bundle and logs the results.

https://github.com/datapartyjs/walk-without-rhythm

#WalkWithoutRhythm #Sha1Hulud #NPM #GitHub #Microsoft #nodejs #javascript #cybersecurity #devlog #bash

./is-npm-still-dangerous
Reads the data/infected-pkgs.txt
Downloads the latest package metadata for every known infected package
Downloads the current latest package.tgz
Uncompresses and scans the latest version using ./check-projects
Depending upon the scan result
./is-npm-still-dangerous

capacitor-voice-recorder-wav 6.0.3 - STILL COMPROMISED
haufe-axera-api-client 0.0.2 - STILL COMPROMISED
hyper-fullfacing 1.0.3 - STILL COMPROMISED
@ifelsedeveloper/protocol-contracts-svm-idl 0.1.2 - STILL COMPROMISED
my-saeed-lib 0.1.1 - STILL COMPROMISED
quickswap-ads-list 1.0.33 - STILL COMPROMISED
@seung-ju/react-native-action-sheet 0.2.1 - STILL COMPROMISED
tcsp 2.0.2 - STILL COMPROMISED
web-types-lit 0.1.1 - STILL COMPROMISED
web-types-lit 0.1.1 - STILL COMPROMISED
Found 9 npm-reports/npm-latest-bad.txt packages STILL compromised!

See npm-reports/npm-latest-bad.txt for full listing.
Warning - Most people probably don't need to run this. It causes a lot of NPM traffic. Warning - There's a few packages this fails to download and check (likely bc's they are hosted outside of NPMjs.org) — ./is-npm-still-dangerous Reads the data/infected-pkgs.txt Downloads the latest package metadata for every known infected package Downloads the current latest package.tgz Uncompresses and scans the latest version using ./check-projects Depending upon the scan result ./is-npm-still-dangerous capacitor-voice-recorder-wav 6.0.3 - STILL COMPROMISED haufe-axera-api-client 0.0.2 - STILL COMPROMISED hyper-fullfacing 1.0.3 - STILL COMPROMISED @ifelsedeveloper/protocol-contracts-svm-idl 0.1.2 - STILL COMPROMISED my-saeed-lib 0.1.1 - STILL COMPROMISED quickswap-ads-list 1.0.33 - STILL COMPROMISED @seung-ju/react-native-action-sheet 0.2.1 - STILL COMPROMISED tcsp 2.0.2 - STILL COMPROMISED web-types-lit 0.1.1 - STILL COMPROMISED web-types-lit 0.1.1 - STILL COMPROMISED Found 9 npm-reports/npm-latest-bad.txt packages STILL compromised! See npm-reports/npm-latest-bad.txt for full listing. Warning - Most people probably don't need to run this. It causes a lot of NPM traffic. Warning - There's a few packages this fails to download and check (likely bc's they are hosted outside of NPMjs.org)

nullagent

@nullagent@partyon.xyz · 2 months ago

I was able to track down 3 out of the remaining 5 affected packages and posted bug reports & security alerts to those developers I located.

Sure would be nice if NPM and GitHub did this automatically.... kinda feel like I've done an awful lot of free labor for Microsoft this week.

https://github.com/datapartyjs/walk-without-rhythm/issues/13

#Sha1Hulud #microsoft #npm

nullagent

@nullagent@partyon.xyz replied · 2 months ago

Just checked back on the Sha1-Hulud virus/worm. FINALLY npm appears free of obviously infected packages.

I still however am seeing infected machines posting their private data publicly on GitHub.

Not only that, I can see infected developer's github repos are being defaced in realtime.

These microsoft owned platforms seem to be really struggling with stopping this worm.

Query for defaced repos 👇🏿

https://github.com/search?q=api.airforce&type=repositories&s=updated&o=desc

#NPM #microsoft #github #Sha1Hulud #WalkWithoutRhythm #cybersecurity

nullagent and 1 other boosted

nullagent

@nullagent@partyon.xyz · 2 months ago

I've spent the last few hours writing down my scripts for detecting this so you can use them!

I'm hitting on two or three ways to detect it and will be adding more.

Watching the attack running I can see developers all over the world still doing their morning `npm i` and getting owned 😭

Maybe let the node developers in your life know about this tool 👇🏿

https://github.com/datapartyjs/walk-without-rhythm

#ShaiHulud #WalkWithoutRhythm #nodejs #javascript #npm #github #cybersecurity

nullagent and 1 other boosted

Federation Bot

@Federation_Bot · 2 months ago

I spent more time searching for other Sha1-Hulud detection tools and found four more bringing it to 6 scanners (5 in nodejs).

Linked them all from my readme in case those work better for you.

Best way to beat a work like this is to keep scanning and keep an eye out for the attacker to try and evade all of our tools.

By using more than one hopefully we make the attackers job harder to evade all of us.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#similar-tools

#Sha1Hulud #WalkWithoutRhythm #nodejs #npm #github #microsoft

nullagent boosted

nullagent

@nullagent@partyon.xyz · 2 months ago

At the end of scanning for obvious compromise the `check-projects` script then builds a listing of all of your dependencies and all of the versions your project files mention.

You can find that info under `reports/`

I'm currently working on improving the `check-projects` script so that it will alert you if ANY of your package.json or package-lock.json mentions a known infected package.

#ShalHulud #WalkWithoutRhythm #npm #github #javascript #cybersecurity #threatresponse

nullagent boosted

nullagent

@nullagent@partyon.xyz · 2 months ago

First pass is super simple and just looks for the file names & package.json signature for signs of infection anywhere in the path you tell it to search.

If it sees anything fishy it tells you where and stops until you've read the alert.

Oh and this only uses bash, sed, awk, grep, curl, and jq. So no npm, node or other big supply chains 🥴

https://github.com/datapartyjs/walk-without-rhythm/blob/main/check-projects

#ShalHulud #WalkWithoutRhythm #nodejs #npm #github #javascript

nullagent

@nullagent@partyon.xyz · 2 months ago

Updated my listing of Sha1-Hulud detection tools.

I now have found at least 12 other tools for detecting Sha1-Hulud compromise on your dev box and in infrastructure.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#similar-sha1-hulud-112425-detection-tools

#WalkWithoutRhythm #Sha1Hulud #npm #github #nodejs #javascript #cybersecurity #devops

Similar Sha1-Hulud 11/24/25 Detection Tools
Links to other projects provided with no warranty express or implied.

https://github.com/TimothyMeadows/sha1hulud-scanner
https://github.com/mottibec/sha1hulud-scanner
https://github.com/gensecaihq/Shai-Hulud-2.0-Detector
https://github.com/tprinty/sha1hulud-action-detector
https://github.com/da1z/amihulud
https://github.com/bobberg/sha1-hulud-folder-checker
https://github.com/servusdei2018/sha1-halud-scan
https://github.com/kevcooper/fremkit
https://github.com/ysskrishna/shai-hulud-detector
https://github.com/Cobenian/shai-hulud-detect
GitHub Scanners
https://github.com/ysskrishna/shai-hulud-detector
panther-labs/panther-analysis#1826 — Similar Sha1-Hulud 11/24/25 Detection Tools Links to other projects provided with no warranty express or implied. https://github.com/TimothyMeadows/sha1hulud-scanner https://github.com/mottibec/sha1hulud-scanner https://github.com/gensecaihq/Shai-Hulud-2.0-Detector https://github.com/tprinty/sha1hulud-action-detector https://github.com/da1z/amihulud https://github.com/bobberg/sha1-hulud-folder-checker https://github.com/servusdei2018/sha1-halud-scan https://github.com/kevcooper/fremkit https://github.com/ysskrishna/shai-hulud-detector https://github.com/Cobenian/shai-hulud-detect GitHub Scanners https://github.com/ysskrishna/shai-hulud-detector panther-labs/panther-analysis#1826

nullagent

@nullagent@partyon.xyz replied · 2 months ago

Just finished writing another tool, now I can see NINE known compromised packages are still up for download on NPM! ⚠️

This tool crawls the list of known bad packages and downloads the latest bundle.

It then runs my other checks against the downloaded bundle and logs the results.

https://github.com/datapartyjs/walk-without-rhythm

#WalkWithoutRhythm #Sha1Hulud #NPM #GitHub #Microsoft #nodejs #javascript #cybersecurity #devlog #bash

nullagent

@nullagent@partyon.xyz · 2 months ago

I've updated my suggestions to include links and info on how to get fine grained control over the scripts your projects run at compile time.

There's two fairly interesting community projects that seem to address this part of the problem and make it possible to disable most install scripts while keeping the ones your project actually requires.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#steps-to-take

#Sha1Hulud #NPM #nodejs #javascript

Steps to take
Turn on Multi-Factor Authentication (MFA / 2FA) immediately on your NPM & GitHub accounts (and all other key infra). Change and review passwords for cloud services you use.
You probably shouldn't run any npm install or npm update commands until NPM and GitHub have official mitigations in place.
Before doing anything else you probably should check for signs of comproise. This can be done manually or using this repo or other similar scanning tools. If you DO continue working from an infected machine you risk having your personal data stolen or destroyed by this worm.
After verifying that your system has not already been compromised you can likely safely work as normal but you should avoid upgrading or installing any different package versions. Its not fully clear at the time of posting if NPM is taking down infected packages we're still finding infected packages for download on NPM at this time.
Before installing a new version of a package, you can download a .tgz archive using the command npm pack <package-name>. This does not install the package. You can then uncompress the package and check it for signs of compromise.
Consider disabling install scripts
npm install --ignore-scripts - Ignore install scripts
npm config set ignore-scripts true - Ignore install scripts user wide
"Package install scripts vulnerability" - NPM blog post from 2016 explaining worm mitigations
Consider using a tool for fine grained script management — Steps to take Turn on Multi-Factor Authentication (MFA / 2FA) immediately on your NPM & GitHub accounts (and all other key infra). Change and review passwords for cloud services you use. You probably shouldn't run any npm install or npm update commands until NPM and GitHub have official mitigations in place. Before doing anything else you probably should check for signs of comproise. This can be done manually or using this repo or other similar scanning tools. If you DO continue working from an infected machine you risk having your personal data stolen or destroyed by this worm. After verifying that your system has not already been compromised you can likely safely work as normal but you should avoid upgrading or installing any different package versions. Its not fully clear at the time of posting if NPM is taking down infected packages we're still finding infected packages for download on NPM at this time. Before installing a new version of a package, you can download a .tgz archive using the command npm pack <package-name>. This does not install the package. You can then uncompress the package and check it for signs of compromise. Consider disabling install scripts npm install --ignore-scripts - Ignore install scripts npm config set ignore-scripts true - Ignore install scripts user wide "Package install scripts vulnerability" - NPM blog post from 2016 explaining worm mitigations Consider using a tool for fine grained script management

nullagent

@nullagent@partyon.xyz replied · 2 months ago

Updated my listing of Sha1-Hulud detection tools.

I now have found at least 12 other tools for detecting Sha1-Hulud compromise on your dev box and in infrastructure.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#similar-sha1-hulud-112425-detection-tools

#WalkWithoutRhythm #Sha1Hulud #npm #github #nodejs #javascript #cybersecurity #devops

nullagent

@nullagent@partyon.xyz · 2 months ago

Now that the acute phase is slowing there's a VERY important question...

What is actual fucking value does Microsoft (a trillion dollar company) owning GitHub & NPM bring at all?

This shit was an absolute corporate buyout disaster. How the ever living fuck has microsoft owned NPM for FIVE years and still not done proper MFA requirements for publishing packages on NPM.

How the actual fuck are well known vulnerable packages STILL being propagated by NPM.

#microsoft #NPM #GitHub

A three panel meme

Top - "Hack the planet" shouts a man being forced into a police car

Center - A hacker in a ski mask at a computer works. "Some dune nerd"

Bottom - "Wait, no not like that!" -Microsoft — A three panel meme Top - "Hack the planet" shouts a man being forced into a police car Center - A hacker in a ski mask at a computer works. "Some dune nerd" Bottom - "Wait, no not like that!" -Microsoft

nullagent

@nullagent@partyon.xyz replied · 2 months ago

nullagent

@nullagent@partyon.xyz · 2 months ago

I'm quickly finding a mix of packages which were compromised, some were months ago and had the bad versions taken down.

However at the same time I'm noticing packages like the one below that were -just- hacked 19 hours ago and still have not been taken down yet!

With how this worm works its a bit of a pencils down moment... you probably should check your packages right now.

https://www.npmjs.com/package/capacitor-voice-recorder-wav?activeTab=code

#nodejs #npm #ShaiHulud #javascript

nullagent

@nullagent@partyon.xyz · 2 months ago

Taking a second to understand the attack rate. I constructed this query below which shows you essentially an up to date listing of developers/code that's been compromised.

Once your box is infected and PII data has been found the worm then uses your github credentials to upload that content so ANYONE can now steal your credentials.

I'm finding multiple repos being popped every minute. This is an extremely active attack right now.

https://github.com/search?q=%22Sha1-Hulud%3A+The+Second+Coming.%22&type=repositories&s=updated&o=desc

#nodejs #npm #cybersecurity #github

And to be clear this is NOT an all clear just yet. Why?

1. There remain known malicious packages STILL available for download on NPM (and I can see evidence of active downloads)

https://partyon.xyz/@nullagent/115607663085751105

2. Infected computers and servers are STILL posting stolen PII to public githubs for the world to see. GitHub has just gotten a tad faster at taking them down.

https://partyon.xyz/@nullagent/115607844583101135

So this is a smoldering fire still and we need to stay vigilant.

#Sha1Hulud #WalkWithoutRhythm

nullagent

@nullagent@partyon.xyz · 2 months ago

Just finished landing Exit Code support. So now if more scanners are made or one of the projects gets more features you can quickly switch to whichever makes the most sense for your use case!

I literally lost a ton of sleep on this volunteer incident response work so I'm going to go touch grass for a bit.

More hacks later tonight, still got some loose ends gnawing at me lol.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#how-to-use

#nodejs #npm #javascript #Sha1Hulud #WalkWithoutRhythm #Sha1HuludScanner #cybersecurity

Federation Bot

@Federation_Bot replied · 2 months ago

I spent more time searching for other Sha1-Hulud detection tools and found four more bringing it to 6 scanners (5 in nodejs).

Linked them all from my readme in case those work better for you.

Best way to beat a work like this is to keep scanning and keep an eye out for the attacker to try and evade all of our tools.

By using more than one hopefully we make the attackers job harder to evade all of us.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#similar-tools

#Sha1Hulud #WalkWithoutRhythm #nodejs #npm #github #microsoft

nullagent

@nullagent@partyon.xyz · 2 months ago

The fork of the CrowdStrike scanner introduced me to a really good idea, I should support the same exit code design so that our tools can work in tandem.

Maybe we detect different things or maybe one vs the other works in your environment.

So I made an issue to track this support:

https://github.com/datapartyjs/walk-without-rhythm/issues/18

#CrowdStrike #Sha1HuludScanner #WalkWithoutRhythm #cybersecurity #npm #nodejs

nullagent

@nullagent@partyon.xyz replied · 2 months ago

Just finished landing Exit Code support. So now if more scanners are made or one of the projects gets more features you can quickly switch to whichever makes the most sense for your use case!

I literally lost a ton of sleep on this volunteer incident response work so I'm going to go touch grass for a bit.

More hacks later tonight, still got some loose ends gnawing at me lol.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#how-to-use

#nodejs #npm #javascript #Sha1Hulud #WalkWithoutRhythm #Sha1HuludScanner #cybersecurity

nullagent

@nullagent@partyon.xyz · 2 months ago

I located a second tool for detecting Sha1-Hulud infections. Haven't looked at the details of how it works.

Some notes:

This one appears to have been released by CrowdStrike and was paywalled. Someone decided to modify and release it publicly so license is unknown.

But awesome to see I'm in the big leagues with CrowdStrike and I maybe the first clean open source release of a tool for this.

https://github.com/TimothyMeadows/sha1hulud-scanner

#Sha1Hulud #Sha1HuludScanner #NPM #nodejs #cybersecurity #opensource

nullagent

@nullagent@partyon.xyz replied · 2 months ago

The fork of the CrowdStrike scanner introduced me to a really good idea, I should support the same exit code design so that our tools can work in tandem.

Maybe we detect different things or maybe one vs the other works in your environment.

So I made an issue to track this support:

https://github.com/datapartyjs/walk-without-rhythm/issues/18

#CrowdStrike #Sha1HuludScanner #WalkWithoutRhythm #cybersecurity #npm #nodejs

nullagent

@nullagent@partyon.xyz · 2 months ago

If time is money and helping the community is good, then this almost completely broke and emotionally damaged open source nerd would dearly appreciate some donations so I can stay focused on helping untangle this worm.

Was planning to spend this week on a mad dash to get my latest apps shipped by turkey day(to you know, make money) but instead I'm doing worm mitigation 😭

https://ko-fi.com/nullagent
https://ko-fi.com/dataparty

#cybersecurity #incidentresponse #ShalHulud #WalkWithoutRhythm

Ko-fi

Support nullagent

Support nullagent's work with a donation

1 more link(s)

nullagent

@nullagent@partyon.xyz replied · 2 months ago

Making my morning rounds and I can see thath there are STILL infected packages that were already detected by cybersecurity analyst available on NPM this morning.

So I'm taking the time to go and personally message teams that haven't taken down their hacked packages.

Tracking that work with these two issues. I'm both manually spot checking the list and working on a script to automate that check. Moar PRs soon . . .

https://github.com/datapartyjs/walk-without-rhythm/issues/13

https://github.com/datapartyjs/walk-without-rhythm/issues/12

#ShaiHulud #WalkWithoutRhythm

nullagent

@nullagent@partyon.xyz · 2 months ago

What's the big deal with this worming supply chain attack?

Well it seems that the attackers may have forced GitHub and NPM into inaction.

The worm is designed to take revenge on infected users if too many of the infected packages are taken off NPM or if GitHub takes down the stolen user data.

So in the mean time that means us developers and users will need to stop and remove the infection as quickly as possible ourselves to protect your systems.

https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/

#GitLab #ShalHulud

nullagent

@nullagent@partyon.xyz replied · 2 months ago

Was planning to spend this week on a mad dash to get my latest apps shipped by turkey day(to you know, make money) but instead I'm doing worm mitigation 😭

https://ko-fi.com/nullagent
https://ko-fi.com/dataparty

#cybersecurity #incidentresponse #ShalHulud #WalkWithoutRhythm

Ko-fi

Support nullagent

Support nullagent's work with a donation

Ko-fi

Buy Dataparty a Coffee

Become a supporter of Dataparty today!

nullagent

@nullagent@partyon.xyz · 2 months ago

At the end of scanning for obvious compromise the `check-projects` script then builds a listing of all of your dependencies and all of the versions your project files mention.

You can find that info under `reports/`

I'm currently working on improving the `check-projects` script so that it will alert you if ANY of your package.json or package-lock.json mentions a known infected package.

#ShalHulud #WalkWithoutRhythm #npm #github #javascript #cybersecurity #threatresponse

nullagent

@nullagent@partyon.xyz replied · 2 months ago

Woot ok now that I have the dependency graph crawled I can just ship the listing of known bad NPM packages and just compare directly against that.

I updated the scanning script to alert if you have -any- version of an infected package.

You're gonna want to be very careful if you're not infected but have one of these dependencies present.

https://github.com/datapartyjs/walk-without-rhythm/blob/main/data/infected-pkgs-versions.txt

#ShalHulud #WalkWithoutRhythm #npm #github #javascript #cybersecurity #threatresponse

nullagent

@nullagent@partyon.xyz · 2 months ago

First pass is super simple and just looks for the file names & package.json signature for signs of infection anywhere in the path you tell it to search.

If it sees anything fishy it tells you where and stops until you've read the alert.

Oh and this only uses bash, sed, awk, grep, curl, and jq. So no npm, node or other big supply chains 🥴

https://github.com/datapartyjs/walk-without-rhythm/blob/main/check-projects

#ShalHulud #WalkWithoutRhythm #nodejs #npm #github #javascript

nullagent

@nullagent@partyon.xyz replied · 2 months ago

At the end of scanning for obvious compromise the `check-projects` script then builds a listing of all of your dependencies and all of the versions your project files mention.

You can find that info under `reports/`

I'm currently working on improving the `check-projects` script so that it will alert you if ANY of your package.json or package-lock.json mentions a known infected package.

#ShalHulud #WalkWithoutRhythm #npm #github #javascript #cybersecurity #threatresponse

nullagent

@nullagent@partyon.xyz · 2 months ago

I've spent the last few hours writing down my scripts for detecting this so you can use them!

I'm hitting on two or three ways to detect it and will be adding more.

Watching the attack running I can see developers all over the world still doing their morning `npm i` and getting owned 😭

Maybe let the node developers in your life know about this tool 👇🏿

https://github.com/datapartyjs/walk-without-rhythm

#ShaiHulud #WalkWithoutRhythm #nodejs #javascript #npm #github #cybersecurity

nullagent

@nullagent@partyon.xyz replied · 2 months ago

First pass is super simple and just looks for the file names & package.json signature for signs of infection anywhere in the path you tell it to search.

If it sees anything fishy it tells you where and stops until you've read the alert.

Oh and this only uses bash, sed, awk, grep, curl, and jq. So no npm, node or other big supply chains 🥴

https://github.com/datapartyjs/walk-without-rhythm/blob/main/check-projects

#ShalHulud #WalkWithoutRhythm #nodejs #npm #github #javascript

nullagent

@nullagent@partyon.xyz · 2 months ago

Ok I've downloaded some of the compromised packages and you can search your already downloaded node modules for possibly infected packages using this command:

find ./node_modules -type f -name "bun_environment.js"

You can check your user level node cache using:

find ~/.npm -type f -name "bun_environment.js"

Still sizing this one up but if you get any hits check and see if they are big files (around 10MB) and if so you're likely infected.

#nodejs #npm

nullagent

@nullagent@partyon.xyz replied · 2 months ago

I've spent the last few hours writing down my scripts for detecting this so you can use them!

I'm hitting on two or three ways to detect it and will be adding more.

Watching the attack running I can see developers all over the world still doing their morning `npm i` and getting owned 😭

Maybe let the node developers in your life know about this tool 👇🏿

https://github.com/datapartyjs/walk-without-rhythm

#ShaiHulud #WalkWithoutRhythm #nodejs #javascript #npm #github #cybersecurity