Supply-chain attack using NPM packages

Press release 25/18

A sophisticated “worm”, called “Shai-Hulud 2.0” is spreading through the software development world, infecting trusted coding tools (“NPM packages”) used by millions of developers. Unlike typical cyberattacks targeting one company, this attack hijacks the software supply chain itself, poisoning the “building blocks” that developers worldwide use to create apps, websites, and business systems.

Why this exceptionally dangerous: this malware operates like a contagion. When a developer installs an infected tool (even from a trusted source), the malware immediately looks for credentials and digital keys. It then uses those stolen credentials and digital keys to infect other software packages that a victim developer maintains, spreading to anyone who trusts them. Furthermore, the initial infection is hard to detect, because it infects computers via pre-install scripts the moment the installation process begins, often before security tools can intervene. This creates an exponential infection chain across the entire software ecosystem.

The malware then automatically publishes stolen credentials and digital keys on public websites. More alarmingly, the malware installs permanent backdoors that let attackers remotely control infected computers (via deployment of “self-hosted runners”), even after the malware is removed. These backdoors blend into normal work traffic (through GitHub), making them hardly detectable. The installed backdoors pose ongoing risk for future exploitation of corporate systems and cloud infrastructure.

Finally, it is important to note that the attack is spreading to other technology of packages, meaning that this supply chain attack may continue using different forms.

Articles from security researchers are easily accessible online to help the supervised entities in their threat hunting practice.

CIRCL, the Computer Incident Center Luxembourg, published a report on this subject, including recommendations, available at this URL: https://www.circl.lu/pub/tr-97.

The CSSF strongly recommends all supervised entities concerned to take duly note of this report and to take actions as appropriate.

Name	Description	Duration
cssf_cookies	Saves information regarding the user's consent to the use of cookies for each optional category.	1 year
ROUTEID	Technical cookie allowing load distribution.	Deleted when the browsing session ends
TBMCookie*	Security: This cookies protects the website against automated attacks.	Deleted when the browsing session ends
__utmvc	These first party cookies are set by a third party service to filter out malicious requests.	Deleted when the browsing session ends
__utmvm*	These first party cookies are set by a third party service to filter out malicious requests.	15 minutes

Name	Description	Duration
cssf_profile	This cookie adapts the website pages to the profile chosen by the visitor (professionals, markets, consumers).	1 year
pll_language	This cookie saves the user’s language choice.	1 year

Name	Description	Duration
_pk_id.#	Collects anonymous statistical data on the website consultations, such as the number of visits or the average time spent on the website. The data is processed in-house and is not shared with a third party.	1 year
_pk_ses.#	Collects anonymous statistical data for the tracking of the pages consulted during the browsing session. The data is processed in-house and is not shared with a third party.	30 minutes