An ongoing supply chain attack has compromised multiple npm packages published by CrowdStrike, extending a malicious campaign known as the “Shai-Halud attack.”
The incident, which involves the same malware previously used to target the popular tinycolor package, highlights the persistent threat of supply chain vulnerabilities within the open-source ecosystem.
The npm registry acted swiftly to remove the affected packages, but developers and organizations are urged to take immediate action to mitigate potential damage.
The compromise originated from the crowdstrike-publisher npm account and has been identified as a continuation of the Shai-Halud supply chain campaign.
The malware deployed is identical to the one observed in the tinycolor incident, indicating a consistent modus operandi by the threat actors.
The core of the attack is a malicious bundle.js script embedded within the compromised packages. Once executed, this script initiates a multi-stage process designed to steal sensitive credentials and establish persistence within victim environments.
According to Socket.dev, the script begins by downloading and running TruffleHog, a legitimate open-source tool designed to scan for secrets and credentials.
By leveraging a trusted tool, the attackers attempt to evade detection while they search the host system for valuable assets like API tokens and cloud credentials.
Once discovered, these secrets are validated to ensure they are active. The malware then creates unauthorized GitHub Actions workflows in compromised repositories, enabling the attackers to maintain access and automate further malicious activities. All exfiltrated data is sent to a hardcoded webhook endpoint controlled by the attackers.
Ongoing npm Supply Chain Attack
A significant number of packages and specific versions were compromised in this attack, spanning a range of CrowdStrike’s development tools.
The affected packages include multiple versions of @crowdstrike/commitlint, @crowdstrike/glide-core, @crowdstrike/logscale-dashboard, and eslint-config-crowdstrike, among others.
Package NameAffected Version(s)@crowdstrike/commitlint8.1.1, 8.1.2@crowdstrike/falcon-shoelace0.4.2@crowdstrike/foundry-js0.19.2@crowdstrike/glide-core0.34.2, 0.34.3@crowdstrike/logscale-dashboard1.205.2@crowdstrike/logscale-file-editor1.205.2@crowdstrike/logscale-parser-edit1.205.1, 1.205.2@crowdstrike/logscale-search1.205.2@crowdstrike/tailwind-toucan-base5.0.2
The SHA-256 hash of the malicious bundle.js file has been identified as 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09.
In response to this incident, security experts have issued clear guidance for developers and security teams. The primary recommendation is to immediately uninstall the affected package versions or pin dependencies to known-good releases until patched versions are verified as safe.
Organizations are strongly advised to conduct thorough audits of CI/CD pipelines, developer laptops, and any other environments where the malicious packages may have been installed.
Any npm tokens or other secrets exposed on these systems should be rotated immediately. Furthermore, continuous monitoring of logs for unusual npm publish events or unauthorized package modifications is crucial to detect any follow-on activity.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
The post CrowdStrike npm Packages Compromised in Ongoing Supply Chain Attack appeared first on Cyber Security News.
.jpg?height=635&t=1758220171&width=1200&w=0&resize=0,0&ssl=1 "Time to Embrace Offensive Security for True Resilience – Security Magazine")