Cybersecurity researchers have flagged a fresh software supply chain attack targeting the npm registry that has affected more than 40 packages that belong to multiple maintainers.
“The compromised versions include a function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local script (bundle.js), repacks the archive, and republishes it, enabling automatic trojanization of downstream packages,” supply chain security company Socket said.
The end goal of the campaign is to search developer machines for secrets using TruffleHog’s credential scanner and transmit them to an external server under the attacker’s control. The attack is capable of targeting both Windows and Linux systems.
The following packages have been identified as impacted by the incident –
- angulartics2@14.1.2
- @ctrl/deluge@7.2.2
- @ctrl/golang-template@1.4.3
- @ctrl/magnet-link@4.0.4
- @ctrl/ngx-codemirror@7.0.2
- @ctrl/ngx-csv@6.0.2
- @ctrl/ngx-emoji-mart@9.2.2
- @ctrl/ngx-rightclick@4.0.2
- @ctrl/qbittorrent@9.7.2
- @ctrl/react-adsense@2.0.2
- @ctrl/shared-torrent@6.3.2
- @ctrl/tinycolor@4.1.1, @4.1.2
- @ctrl/torrent-file@4.1.2
- @ctrl/transmission@7.3.1
- @ctrl/ts-base32@4.0.2
- encounter-playground@0.0.5
- json-rules-engine-simplified@0.2.4, 0.2.1
- koa2-swagger-ui@5.11.2, 5.11.1
- @nativescript-community/gesturehandler@2.0.35
- @nativescript-community/sentry 4.6.43
- @nativescript-community/text@1.6.13
- @nativescript-community/ui-collectionview@6.0.6
- @nativescript-community/ui-drawer@0.1.30
- @nativescript-community/ui-image@4.5.6
- @nativescript-community/ui-material-bottomsheet@7.2.72
- @nativescript-community/ui-material-core@7.2.76
- @nativescript-community/ui-material-core-tabs@7.2.76
- ngx-color@10.0.2
- ngx-toastr@19.0.2
- ngx-trend@8.0.1
- react-complaint-image@0.0.35
- react-jsonschema-form-conditionals@0.3.21
- react-jsonschema-form-extras@1.0.4
- rxnt-authentication@0.0.6
- rxnt-healthchecks-nestjs@1.0.5
- rxnt-kue@1.0.7
- swc-plugin-component-annotate@1.9.2
- ts-gaussian@3.0.6
The malicious JavaScript code (“bundle.js”) injected into each of the trojanized package is designed to download and run TruffleHog, a legitimate secret scanning tool, using it to scan the host for tokens and cloud credentials, such as GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY.
“It validates npm tokens with the whoami endpoint, and it interacts with GitHub APIs when a token is available,” Socket said. “It also attempts cloud metadata discovery that can leak short-lived credentials inside cloud build agents.”
The script then abuses the developer’s credentials (i.e., the GitHub personal access tokens) to create a GitHub Actions workflow in .github/workflows, and exfiltrates the collected data to a webhook[.]site endpoint.
Developers are advised to audit their environments and rotate npm tokens and other exposed secrets if the aforementioned packages are present with publishing credentials.
“The workflow that it writes to repositories persists beyond the initial host,” the company noted. “Once committed, any future CI run can trigger the exfiltration step from within the pipeline where sensitive secrets and artifacts are available by design.”
StepSecurity, which also shared details of the campaign, said the attack demonstrates a concerning evolution in supply chain threats, given that the malware includes a self-propagating mechanism enabling automatic infection of downstream packages. This behavior creates a “cascading compromise across the ecosystem.”
More Packages Impacted
The ongoing npm supply chain incident, codenamed Shai-Hulud attack, has also leveraged the “crowdstrike-publisher” npm account to publish several trojanized packages –
- @crowdstrike/commitlint@8.1.1, 8.1.2
- @crowdstrike/falcon-shoelace@0.4.2
- @crowdstrike/foundry-js@0.19.2
- @crowdstrike/glide-core@0.34.2, 0.34.3
- @crowdstrike/logscale-dashboard@1.205.2
- @crowdstrike/logscale-file-editor@1.205.2
- @crowdstrike/logscale-parser-edit@1.205.1, 1.205.2
- @crowdstrike/logscale-search@1.205.2
- @crowdstrike/tailwind-toucan-base@5.0.2
- browser-webdriver-downloader@3.0.8
- ember-browser-services@5.0.3
- ember-headless-form-yup@1.0.1
- ember-headless-form@1.1.3
- ember-headless-table@2.1.6
- ember-url-hash-polyfill@1.0.13
- ember-velcro@2.2.2
- eslint-config-crowdstrike-node@4.0.4
- eslint-config-crowdstrike@11.0.3
- monorepo-next@13.0.2
- remark-preset-lint-crowdstrike@4.0.2
- verror-extra@6.0.1
- yargs-help-output@5.0.3
“After detecting several malicious Node Package Manager (npm) packages in the public npm registry, a third-party open source repository, we swiftly removed them and proactively rotated our keys in public registries,” a CrowdStrike spokesperson told The Hacker News.
“These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected. We are working with npm and conducting a thorough investigation.”
The OX Security team, in its own analysis said, it found 34 compromised GitHub accounts which contain the ‘Shai-Hulud’ repository, within which there is a “data.json” file containing an encoded JSON with the compromised information the attacker uploaded to the victim’s GitHub account.
Supply chain security company ReversingLabs characterized the incident as a “first of its kind self-replicating worm” compromising npm packages with cloud token stealing malware. The starting point is believed to be rxnt-authentication, a malicious version of which was published on npm on September 14, 2025, at 17:58:50 UTC.
“As a result, the npm maintainer ‘techsupportrxnt’ can be considered Patient Zero for this campaign,” security researcher Karlo Zanki said. “Once infected by Shai-Hulud, npm packages spawn attacks of their own by unknowingly allowing the worm to self-propagate through the packages they maintain.”
“Given the large number of package inter-dependencies in the npm ecosystem, it is difficult to predict who will get compromised next and how far Shai-Hulud could spread. As of this writing, RL has identified hundreds of npm packages that have been compromised by the Shai-Hulud malware.”
Exactly how the “techsupportrxnt” npm account was compromised is key to unlocking the attack’s origin, although the possibility of a phishing email or the exploitation of a vulnerable GitHub action cannot be ruled out, ReversingLabs said.
Besides compromising an npm developer account to trojanize other packages by creating a new versions after injecting the malware into them, the worm-like malware tries to create a public copy of all private repositories belonging to the compromised user in a likely attempt to gain access to secrets hard-coded in those repositories and steal source code.
The newly created repositories get a suffix -migration to their original name, reminiscent of the s1ngularity attack targeting the nx build system late last month.
“The design and functional overlap of the nx campaign with the Shai-Hulud worm we detected is lsignificant,” Zanki said. “What is even more concerning is the automated spreading of malware to the packages maintained by the compromised npm accounts.”
Cloud security firm Wiz has also drawn parallels between the two activity clusters, assessing the latest campaign to be “directly downstream” of the s1ngularity attack. Stating it to be “one of the most severe JavaScript supply chain attacks observed to date,” the company is urging immediate action to remove malicious versions of the packages and upgrade to a clean release.
“One of the most striking features of this attack is that it behaves like a true worm,” Aikido researcher Charlie Eriksen said. “This cycle allows the malware to continuously infect every package a maintainer has access to.”
“Each published package becomes a new distribution vector: as soon as someone installs it, the worm executes, replicates, and pushes itself further into the ecosystem. Once a single environment is compromised, the worm automates the spread by piggybacking on the maintainer’s own publishing rights.”
crates.io Phishing Campaign
The disclosure comes as the Rust Security Response Working Group is warning of phishing emails from a typosquatted domain, rustfoundation[.]dev, targeting crates.io users.
The messages, which originate from security@rustfoundation[.]dev, warn recipients of an alleged compromise of the crates.io infrastructure and instruct them to click on an embedded link to rotate their login information so as to “ensure that the attacker cannot modify any packages published by you.”
The rogue link, github.rustfoundation[.]dev, mimics a GitHub login page, indicating a clear attempt on the part of the attackers to capture victims’ credentials. The phishing page is currently inaccessible.
“These emails are malicious and come from a domain name not controlled by the Rust Foundation (nor the Rust Project), seemingly with the purpose of stealing your GitHub credentials,” the Rust Security Response WG said. “We have no evidence of a compromise of the crates.io infrastructure.”
The Rust team also said they are taking steps to monitor any suspicious activity on crates.io, in addition to getting the phishing domain taken down.
Source: thehackernews.com…
Leave a Reply