Massive Supply Chain Attack: Zapier’s NPM Account Compromised by Shai Hulud Malware
In a significant escalation of software supply chain attacks, the NPM accounts of automation leader Zapier and the Ethereum Name Service (ENS) have been compromised. This breach, identified by Aikido Security, is attributed to the same threat actors behind the Shai Hulud self-propagating worm that first emerged in September. Dubbed Shai Hulud: The Second Coming, this latest campaign has infiltrated multiple core packages and generated over 19,000 public repositories containing stolen credentials.
The Nature of the Attack
Unlike traditional malware, this attack employs a self-replicating worm capable of rapid expansion. Upon installation of an infected package, the malware activates to harvest sensitive information, including NPM tokens, GitHub Personal Access Tokens (PATs), and cloud infrastructure keys. These stolen credentials are then immediately used to propagate the infection further, creating a cascading effect throughout the open-source community. The speed of this propagation is alarming, with the impact surpassing the initial September campaign within just five hours of detection.
Data Exfiltration Tactics
The primary objective of this attack appears to be maximum disruption and data exposure. The malware utilizes TruffleHog, a tool designed to hunt for secrets, to exfiltrate sensitive data from infected environments. The attackers are not merely hoarding these credentials; they are publicly sharing them on GitHub in repositories titled Shai Hulud: The Second Coming. This public exposure exponentially increases the risk, as it allows other malicious actors to exploit the exposed keys before organizations can rotate them. The sheer volume of created repositories suggests a highly automated execution intended to overwhelm security teams and incident responders.
Compromised Packages
The following packages have been confirmed as compromised and should be considered actively malicious:
Zapier Ecosystem:
– `zapier-platform-core`
– `zapier-platform-cli`
– `zapier-platform-schema`
– `@zapier/secret-scrubber`
ENS Ecosystem:
– `@ensdomains/ens-validation`
– `@ensdomains/content-hash`
– `ethereum-ens`
– `@ensdomains/react-ens-address`
– `@ensdomains/ens-contracts`
– `@ensdomains/ensjs`
– `@ensdomains/ens-archived-contracts`
– `@ensdomains/dnssecoraclejs`
Organizations utilizing any of these packages must assume a full compromise of their development environments. Immediate action is required to mitigate potential damage.
Recommended Actions
1. Credential Rotation: Immediately rotate all GitHub, NPM, and cloud credentials to prevent unauthorized access.
2. Dependency Audit: Conduct a thorough audit of all dependencies. Specifically, scan GitHub organizations and employee accounts for repositories matching the Shai Hulud description.
3. Disable Post-Install Scripts: Temporarily disable NPM post-install scripts in CI/CD pipelines where possible to halt further spread.
4. Enforce Multi-Factor Authentication (MFA): Implement MFA for all package maintainers to enhance security.
5. Lock Dependency Versions: Lock dependency versions and utilize tools like SafeChain to block the automatic execution of this malware while the ecosystem recovers.
Indicators of Compromise (IoCs):
– Repository Name Pattern: Shai Hulud: The Second Coming
– Malware Behavior: Automated execution of TruffleHog for secret scanning
– Targeted Assets: NPM Tokens, GitHub PATs, Cloud Keys
– Public Repository Count: Over 19,000 malicious repositories
Conclusion
This attack underscores the critical importance of securing software supply chains. The rapid propagation and public exposure of sensitive credentials highlight the need for robust security measures and vigilant monitoring. Organizations must act swiftly to mitigate the impact and prevent further exploitation.
