CISA Alerts Organizations to Audit Dependencies After Major npm Supply chain Attack
WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to promptly review their software dependencies following a widespread supply chain attack targeting the Node Package Manager (npm) ecosystem. The attack, dubbed Shai-Hulud, involved a self-replicating worm that compromised over 500 software packages, according to StepSecurity.
The compromise allowed attackers to inject malware and search for sensitive credentials, including GitHub Personal Access Tokens and API keys for Amazon Web Services, Google Cloud Platform, and Microsoft Azure. These stolen credentials were than uploaded to a public repository named Shai-hulud. Palo Alto Networks’ Unit 42 researchers resolute the malicious script was written using a large Language Model (LLM), as detailed in an updated blog post released Tuesday.
GitHub responded to the incident Monday, taking action to mitigate the impact by removing more than 500 packages from the npm registry and blocking new packages containing indicators of compromise.
CISA recommends the following mitigation steps:
* Perform a comprehensive dependency review of all software utilizing npm packages.
* Search for cached versions of affected dependencies within artifact repositories and dependency management tools.
* Immediately rotate all developer credentials.
* Implement phishing-resistant multi-factor authentication on all developer accounts.
