Shy Hulud sweeping through the JavaScript ecosystem... spreading autonomously through npm.

The malicious code “sandworm ( Shai Hulud )” targeting the JavaScript development ecosystem continues to evolve, with the level of software Supply Chain attacks confirmed to have further increased. The latest analysis shows that this malicious code has surpassed the previous level of merely infiltrating individual software packages, enabling developers to become unwitting and continuously spreading carriers, thus possessing a system of automatic diffusion.

According to a report released by the security company Expel, a recent variant of the sandworm has the capability to automatically infect developer environments and disseminate through the npm registries they manage. This malicious code executes a virus-embedded npm package during the installation phase, conducting the infection in two steps. First, if the “Bun” JavaScript runtime is not installed in the target environment, it will be automatically installed; subsequently, through a complex obfuscated payload, it induces credential theft, data leakage, and reinfection in the background.

This variant is particularly noteworthy for its sophisticated credentials collection method. It directly accesses the secret management systems of major cloud infrastructures such as AWS Secrets Manager, Microsoft Azure Key Vault, and Google Cloud Secret Manager to additionally extract sensitive data. It has been confirmed that it also comprehensively collects NPM release tokens, GitHub authentication information, and even cloud keys from the local system itself. The tool used in this process is TruffleHog, which is a tool that automatically searches for hardcoded secret information from source code, configuration files, Git records, and more.

The typical tactic of sandworms is the abuse of GitHub infrastructure. Unlike the previous method of connecting malicious code to command control servers (C2), this malicious code uploads the stolen information to public repositories and registers the infected devices as self-hosted runners for GitHub Actions. This allows for continuous remote access from outside, with attackers using the accounts of infected developers as weapons to inject malicious code into other packages and expand the infection by automatically re-registering the modified versions to npm.

The report states that as of now, it is estimated that over 25,000 repositories have been infected, affecting hundreds of software packages. Among them are popular tools widely used in the open-source community.

Expel warns through this case that the “trust layer” of software Supply Chain security is no longer a safe zone. Although the Sandworm attacked the JavaScript ecosystem, other language communities with similar trust foundations, such as Python( PyPI), Ruby( RubyGems), and PHP( Composer), are also likely to be exposed to similar attacks. The emergence of self-replicating malware targeting the development tools ecosystem could lead to more sustained and widespread threats in the future, which should be taken seriously.