Critical npm flaw lets attackers steal GitHub, AWS, Kubernetes secrets
Key Takeaways A widespread supply chain attack, dubbed “Shai-Hulud: Here We Go Again,” has compromised over 170 npm packages and two PyPI packages. The attacker group, TeamPCP, injected...
Key Takeaways
- A widespread supply chain attack, dubbed “Shai-Hulud: Here We Go Again,” has compromised over 170 npm packages and two PyPI packages.
- The attacker group, TeamPCP, injected malicious loaders and obfuscated JavaScript payloads designed to steal sensitive credentials from developer machines and CI/CD pipelines.
- The malware exhibits worm-like behavior, self-replicating and spreading by using stolen credentials to inject malicious code into additional packages and republish them.
- Affected credentials include GitHub tokens, npm credentials, AWS access keys, Kubernetes service account tokens, HashiCorp Vault tokens, SSH keys, Docker credentials, and generic API keys.
- A “dead-man switch” mechanism is present, which triggers a destructive wipe of the infected machine if a stolen GitHub token is revoked before persistence is fully removed.
Widespread Supply Chain Attack Targets Developer Ecosystems
A sophisticated supply chain attack is currently impacting software developers globally, with more than 170 npm packages and two PyPI packages compromised in a coordinated credential theft campaign. This extensive operation poses a significant risk to development environments, given that the affected packages collectively receive over 200 million weekly downloads.
Table Of Content
The threat actor, identified as TeamPCP, has embedded malicious loaders and obfuscated JavaScript payloads into widely used developer dependencies. These insidious payloads are engineered to operate covertly within developer workstations and Continuous Integration/Continuous Deployment (CI/CD) pipelines, systematically exfiltrating sensitive credentials and leveraging them to propagate the infection further. The sheer scale of this compromise has reportedly caught numerous development teams unprepared.
Researchers at JFrog, who uncovered the full scope of this campaign, have named it “Shai-Hulud: Here We Go Again,” noting its resemblance to previous attacks attributed to the same group. Their analysis indicates that this is not a one-off intrusion but a self-propagating mechanism designed for continuous expansion with each successful compromise.
How the Worm-like Malware Spreads
The attack vector originated within a trusted GitHub release environment. The attackers exploited a specific workflow pattern that permitted code from a forked repository to execute within a privileged context of the main repository. This initial breach allowed them to establish a foothold without immediately triggering security alerts. Subsequently, they corrupted a build cache entry, which was later restored during what appeared to be routine build processes, activating the malicious code.
Once active, the malware extracted GitHub Actions identity tokens directly from the runner’s memory, exchanging them for npm publishing credentials. It then injected its malicious code into additional packages, incremented their version numbers, and republished these infected versions. Each compromised package thus became a launchpad for subsequent infections, demonstrating a potent, worm-like propagation method.
This campaign is particularly concerning due to its self-replicating nature. Rather than simply extracting credentials and ceasing activity, the malware actively seeks to expand its footprint. After acquiring npm tokens or trusted-publishing credentials, the payload enumerates all packages the compromised account has publishing rights to, re-injects them with malicious code, and pushes new, infected versions to the public registry. This ensures persistent and expanding access for the attackers.
Further enhancing its stealth, the malware can also request an OpenID Connect (OIDC) token for the npm registry, which it then exchanges for a publishing token. This process allows infected packages to appear as if they originate from verified, trusted sources, effectively masking the embedded malware.
The campaign’s reach extended beyond npm to the Python ecosystem, compromising two PyPI packages. The PyPI variant is activated upon package import in any Python script. This loader then silently fetches a remote payload from attacker-controlled servers. This second-stage payload has since evolved into a comprehensive credential stealer, targeting cloud providers, Kubernetes, HashiCorp Vault, password managers, and various developer tools.
Credential Theft and the Dead-Man Switch
The npm payload is designed to harvest a broad array of sensitive credentials. This includes GitHub tokens, npm credentials, AWS access keys (obtained from environment variables and cloud metadata services), Kubernetes service account tokens, HashiCorp Vault tokens, SSH keys, Docker credentials, and other generic API keys. In cloud environments, it specifically queries the EC2 metadata service to directly retrieve IAM role credentials.
For data exfiltration, the malware ingeniously utilizes GitHub itself. It creates a public repository using a stolen token, commits encrypted bundles of stolen credentials to it, and marks the repository with the campaign’s name for tracking. Commits containing stolen GitHub tokens are accompanied by a threatening message, warning defenders against revoking access.
This threat is enforced by a “dead-man switch.” The malware installs a background monitor that checks GitHub every 60 seconds. Should the stolen token be revoked, this monitor immediately triggers a destructive wipe command on the compromised machine. This mechanism presents a critical challenge for remediation: defenders must ensure all persistence mechanisms are completely removed before attempting to revoke any compromised credentials, to avoid inadvertently activating the wiper functionality.
JFrog strongly advises that all affected machines and CI/CD runners be isolated immediately. The first step in remediation is to thoroughly remove all persistence files and background services. Only after this initial cleanup should organizations proceed with rotating GitHub tokens, npm tokens, AWS credentials, Kubernetes service accounts, Vault tokens, and SSH keys.
Additionally, developers should meticulously review their repositories for commits authored by “[email protected]” and investigate any anomalous, Dependabot-like branches that deviate from established automation patterns.



No Comment! Be the first one.