The Second Coming of Shai-Hulud: How a New npm Worm is Compromising Thousands of Repositories in a Preinstall Nightmare

Listen to this Post

Featured Image

Introduction:

A sophisticated new variant of the Shai-Hulud supply chain attack is actively targeting the npm ecosystem, exploiting the `preinstall` script to execute malicious code before a package is even fully installed. This technique bypasses many traditional security controls and exposes both developer workstations and CI/CD pipelines to credential theft, repository infection, and further compromise. Security researchers at Wiz are tracking the campaign, which has already impacted over 25,000 repositories and continues to grow at an alarming rate.

Learning Objectives:

  • Understand the mechanism and heightened danger of preinstall script attacks in npm packages.
  • Learn how to detect and eradicate the Shai-Hulud worm from your development environment and CI/CD pipelines.
  • Implement hardening measures to protect against future software supply chain attacks.

You Should Know:

1. The Anatomy of a Preinstall Attack

The “Shai-Hulud” worm’s primary innovation lies in its execution trigger. Unlike post-install scripts, which run after a package’s dependencies are fetched, a `preinstall` script executes before the installation process begins. This allows the malware to operate in an environment with elevated permissions and potentially before security scanners can inspect the rest of the package contents.

Step-by-step guide explaining what this does and how to use it.
– Step 1: Initial Compromise. A developer or CI/CD pipeline runs `npm install` on a project that depends on a compromised package (e.g., eslint-config-ohko, klown-node).
– Step 2: Preinstall Execution. The malicious code defined in the `”preinstall”` key of the package’s `package.json` file is executed immediately. This script is often obfuscated to avoid detection.
– Step 3: Payload Delivery. The script fetches a second-stage payload from a remote command-and-control (C2) server. This payload is responsible for the core malicious activities.

2. Detection: Identifying Compromised Systems and Packages

Rapid detection is critical to containing the blast radius of this attack. You need to scan both your local environments and your code repositories.

Step-by-step guide explaining what this does and how to use it.
– Step 1: Scan for Malicious Packages. Use npm’s audit feature and specialized security tools to check your dependencies.
– Command (Linux/macOS): `npm audit –audit-level high`
– Command (PowerShell): Review your `package-lock.json` for known malicious package names and hashes published by Wiz and other security vendors.
– Step 2: Check for Unauthorized GitHub Access. The worm exfiltrates GitHub tokens. Check your GitHub account’s security log for suspicious access.
– Action: Go to GitHub.com -> Settings -> Security -> Security log. Look for entries like “oauth_authorization.create”.
– Step 3: Hunt for Network Indicators. Monitor outbound connections from your build systems for calls to known malicious IPs or domains associated with the campaign.

3. Incident Response: Eradicating the Threat

Once detected, a thorough cleanup is required to prevent re-infection.

Step-by-step guide explaining what this does and how to use it.
– Step 1: Immediate Isolation. Disconnect affected developer machines and pause any potentially compromised CI/CD pipelines.
– Step 2: Credential Rotation. This is the most critical step. Immediately revoke and rotate all exposed credentials, including:
– GitHub Personal Access Tokens (PATs)
– npm tokens
– SSH keys
– Cloud provider access keys (AWS, Azure, GCP)
– Step 3: Purge and Reinstall. Delete `node_modules` folders and `package-lock.json` files from infected projects. Perform a clean installation using verified, non-malicious packages.
– Commands:

rm -rf node_modules
rm package-lock.json
npm cache clean --force
npm install
  1. Hardening Your CI/CD Pipeline Against Supply Chain Attacks
    Your build system is a high-value target and must be fortified.

Step-by-step guide explaining what this does and how to use it.
– Step 1: Implement Dependency Allowlisting. Use tools like `npm-shrinkwrap.json` or lock down dependencies with specific hashes to prevent unexpected package changes.
– Step 2: Restrict Pipeline Permissions. Run your CI/CD jobs with the principle of least privilege. Do not assign excessive permissions (e.g., broad repository write access) to your build tokens.
– Step 3: Use Sandboxed Environments. Ensure your CI/CD runners are ephemeral and sandboxed, destroying themselves after each build to prevent persistent threats.

5. API Security: Protecting Your Tokens

The Shai-Hulud attack abuses legitimate APIs with stolen tokens. Protecting these tokens is paramount.

Step-by-step guide explaining what this does and how to use it.
– Step 1: Use Fine-Grained Tokens. Instead of tokens with broad scopes, use fine-grained Personal Access Tokens on GitHub that have the minimum required permissions for a specific task.
– Step 2: Enforce Short Token Lifespans. Configure tokens to expire after a short, defined period (e.g., 1-30 days) to reduce the window of opportunity for an attacker.
– Step 3: Monitor API Usage. Implement logging and alerting for unusual API patterns, such as a sudden spike in requests from a CI/CD system or access from unfamiliar geolocations.

6. Proactive Defense with Yarn and Configuration Lockdown

Alternative package managers and stricter configurations can reduce your attack surface.

Step-by-step guide explaining what this does and how to use it.
– Step 1: Consider Yarn with Selective Script Execution. Yarn allows you to disable the execution of install scripts, which can neutralize this specific threat.
– Command: `yarn install –ignore-scripts`
– Permanent Configuration: Set `enableScripts: false` in your `.yarnrc.yml` file.
– Step 2: Configure npm to Ignore Scripts. As a defensive measure, you can configure npm to not run any scripts.
– Command: `npm config set ignore-scripts true`
– Step 3: Implement Software Composition Analysis (SCA). Integrate a security scanner that checks for vulnerable and malicious dependencies directly in your version control system (e.g., GitHub Advanced Security, GitLab Dependency Scanning) to block malicious packages before they merge.

What Undercode Say:

  • The shift to preinstall scripts represents a significant escalation in software supply chain warfare, fundamentally changing the point of detection and forcing a reevaluation of current security models.
  • No organization is immune; the automated, worm-like propagation through CI/CD pipelines means that a single compromised dependency can lead to a cascading enterprise-wide security event.

The Shai-Hulud v2.0 campaign is a stark reminder that the software supply chain attack landscape is evolving faster than many defensive controls can keep up. Attackers are no longer just hiding in `postinstall` scripts; they are moving earlier in the installation lifecycle to gain a tactical advantage. This attack leverages the implicit trust we place in public package repositories and the high-permission environments of our build systems. The combination of credential theft, abuse of self-hosted runners for persistence, and the continuous seeding of new trojanized packages creates a self-sustaining attack loop. Defending against this requires a shift from reactive scanning to proactive, zero-trust policies for development environments, where scripts are disabled by default and credentials are scoped with surgical precision.

Prediction:

This “preinstall” technique will be rapidly adopted by other threat actors, leading to a wave of copycat attacks across npm, PyPI, and RubyGems in the next 6-12 months. The software industry will be forced to respond by fundamentally changing how package managers handle script execution, potentially leading to them being disabled by default. We will see a surge in the adoption of secure, fully-managed CI/CD solutions that offer stronger isolation, as the security risks of self-hosted runners become untenable for most organizations. The incident will accelerate the development and mandatory use of cryptographic software attestations and binary authorization for open-source packages.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Wizsecurity Big – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky