3rd Party Risk Management
,
Governance & Risk Management
Aikido Researcher Suggests New Variant Is Likely in Testing Phase
Researchers from Aikido have uncovered a potentially novel variant of the Shai Hulud malware, which has been responsible for a series of attacks targeting the npm JavaScript repository. The new variant appears to be in the beta testing phase, with no indication of widespread infections at this time.
Reportedly uploaded to npm via a GitHub repository named @vietmoney/react-big-calendar, this variant retains the Shai Hulud branding, which draws its name from the immense sandworms of the Dune science fiction series. These self-propagating attacks exploit vulnerabilities in the npm ecosystem, allowing malicious scripts to harvest sensitive data from developers’ environments.
Aikido researcher Charlie Eriksen noted that the continued absence of new packages or repositories associated with the malware since December 10 suggests attackers may be refining their methods rather than actively deploying the variant. “There does not appear to be any significant spread or infections,” he commented, implying that the threat actors might be in the preliminary stages of testing their payload.
The new variant features modifications in its initial file, primary payload, and enhanced error handling aimed at TruffleHog, a tool designed to scan for sensitive data like tokens and cloud credentials. These changes could reflect an adaptation to evade detection while maintaining its self-propagation capabilities.
The Shai Hulud campaign was first recognized in September, alongside reports of malicious JavaScript packages being downloaded by unwitting developers. These compromised packages contained scripts capable of collecting access tokens and updating themselves with harmful code, creating a cycle of self-propagation (see: Shai Hulud Burrows Into NPM Repository).
In November, security firm Upwind revealed another iteration referred to as Shai Hulud 2.0. The variant integrated itself into the npm installation process, automating its spread and leading to the infecting of over 25,000 npm repositories, with new malicious repositories emerging at alarming rates (see: Breach Roundup: Shai-Hulud 2.0 Sparks Massive npm Supply Chain Breach).
Microsoft characterized this ongoing campaign as one of the most serious compromises within cloud-native ecosystems, while security analysts from Wiz prompted a reevaluation of defenses due to the gravity of these supply chain attacks.
Given the evolving nature of the Shai Hulud malware and its continuous adaptation, organizations should remain vigilant against the tactics employed in these campaigns, including initial access and privilege escalation techniques outlined in the MITRE ATT&CK framework. The situation highlights the importance of robust cybersecurity measures in protecting against such sophisticated threats.
