{"id":9088,"date":"2025-11-25T08:50:45","date_gmt":"2025-11-25T08:50:45","guid":{"rendered":"https:\/\/techtrendfeed.com\/?p=9088"},"modified":"2025-11-25T08:50:45","modified_gmt":"2025-11-25T08:50:45","slug":"shai-hulud-is-again-with-a-brand-new-marketing-campaign-infecting-extra-npm-packages","status":"publish","type":"post","link":"https:\/\/techtrendfeed.com\/?p=9088","title":{"rendered":"Shai-Hulud is again with a brand new marketing campaign infecting extra npm packages"},"content":{"rendered":"


\n<\/p>\n

\n \"\"\"\"<\/p>\n

A brand new malicious marketing campaign linked to the Shai-Hulud worm is making its approach all through the npm ecosystem. Based on findings from Wiz<\/a>, over 25,000 npm packages have been compromised and over 350 customers have been impacted.<\/p>\n

Shai-Hulud was a worm that contaminated the npm registry again in September<\/a>, and now a brand new worm spelled as Sha1-Hulud is showing within the ecosystem once more, although it’s unclear on the time of writing whether or not the 2 worms have been made by the identical menace actor.<\/p>\n

Wiz and Aikido researchers have confirmed that Sha1-Hulud was uploaded to the npm ecosystem between November twenty first and twenty third. In addition they say that tasks from Zapier, ENS Domains, PostHog, and Postman have been a few of the ones that have been trojanized, and newly compromised packages are nonetheless being found.<\/p>\n

Like Shai-Hulud, this new malware additionally steals developer secrets and techniques, although Garrett Calpouzos, principal safety researcher at Sonatype, defined that the mechanism is barely completely different, with two recordsdata as a substitute of 1. \u201cThe primary checks for and installs a non-standard \u2018bun\u2019 JavaScript runtime, after which makes use of bun to execute the precise relatively large malicious supply file that publishes stolen knowledge to .json recordsdata in a randomly named GitHub repository,\u201d he advised SD Instances.<\/p>\n

Wiz believes this preinstall-phase considerably will increase the blast radius throughout construct and runtime environments.<\/p>\n

Different variations, in keeping with Aikido<\/a>, are that it creates a repository of stolen knowledge with a random title as a substitute of a hardcoded title, can infect as much as 100 packages as a substitute of 20, and if it will probably\u2019t authenticate with GitHub or npm it wipes all recordsdata within the consumer\u2019s Residence listing.<\/p>\n

The researchers from Wiz advocate that builders take away and exchange compromised packages, rotate their secrets and techniques, audit their GitHub and CI\/CD environments, after which harden their pipelines by limiting lifecycle scripts in CI\/CD, limiting outbound community entry from construct programs, and utilizing short-lived scoped automation tokens.<\/p>\n

Sonatype\u2019s Calpouzos additionally stated that the dimensions and construction of the file confuses AI evaluation instruments as a result of it’s larger than the traditional context window, making it laborious for LLMs to maintain monitor of what they’re studying. He defined that he examined this out by asking ChatGPT and Gemini to investigate it, and has been getting completely different outcomes each time. It’s because the fashions are looking for apparent malware patterns, reminiscent of calls to suspicious domains, and aren\u2019t discovering any, resulting in the conclusion that the recordsdata are reliable.<\/p>\n

\u201cIt\u2019s a intelligent evolution. The attackers aren\u2019t simply hiding from people, they\u2019re studying to cover from machines too,\u201d Calpouzos stated.<\/p>\n<\/p><\/div>\n\n","protected":false},"excerpt":{"rendered":"

A brand new malicious marketing campaign linked to the Shai-Hulud worm is making its approach all through the npm ecosystem. Based on findings from Wiz, over 25,000 npm packages have been compromised and over 350 customers have been impacted. Shai-Hulud was a worm that contaminated the npm registry again in September, and now a brand […]<\/p>\n","protected":false},"author":2,"featured_media":9090,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[396,5395,1116,2987,5393],"class_list":["post-9088","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-software","tag-campaign","tag-infecting","tag-npm","tag-packages","tag-shaihulud"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/9088","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9088"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/9088\/revisions"}],"predecessor-version":[{"id":9089,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/9088\/revisions\/9089"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/9090"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9088"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9088"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9088"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}