Shai-Hulud Supply Chain Attack Incident Response

The Shai-Hulud supply chain attack is a significant security incident that has caught the attention of the developer community. This attack involves the use of malicious packages in the npm ecosystem to compromise developer systems and steal sensitive information. In this post, we will outline the incident response steps that can be taken to contain and mitigate the impact of this attack.

For a detailed analysis of the attack and its implications, read more at SafeDep blog.

TL;DR

• Clone the repository github.com/safedep/shai-hulud-migration-response

1
git clone https://github.com/safedep/shai-hulud-migration-response.git && \
2
cd shai-hulud-migration-response

• Run the script to scan your filesystem for all open source packages using vet

1
./scripts/pv-scan.sh

• Run the query script to check for known malicious package versions

1
./scripts/pv-query.sh

• Run the following script to check for known malicious Javascript files by SHA256 hash

1
./scripts/pv-payload-hash-scan.sh

Incident Response Steps

If you believe you are affected by this attack, follow the steps below:

1. Scan your systems for indicators of compromise (IoCs) listed below
2. Rotate credentials available in compromised systems
3. Setup guardrails to prevent further compromise

Indicators of Compromise (IOCs)

SafeDep found following types of IOCs during the incident:

1. Malicious packages, maintained here
2. Malicious Javascript file checksums (SHA256), maintained here

These are the primary IOCs that are included in the scanning scripts. Following are additional IOCs observed during the incident:

• Credential collection URL: hxxps://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7
• /tmp/data.json used to collect credentials using TruffleHog
• /tmp/processor.sh for collecting credentials
• /tmp/migrate-repos.sh for stealing private source code through GitHub

Rotate Credentials

The malicious payload delivered through the attack compromised credentials available in the infected systems. Rotate all known credentials, particularly the following:

• Npm credentials available in $HOME/.npmrc or $NPM_TOKEN environment variable
• GitHub credentials of developers using affected systems
• AWS credentials available in $HOME/.aws/credentials or $AWS_ACCESS_KEY_ID and $AWS_SECRET_ACCESS_KEY environment variables
• AWS credentials available in AWS Secrets Manager that were accessible from affected systems
• Google Cloud credentials and credentials stored in Google Cloud Secret Manager that were accessible from affected systems
• SSH private keys, especially if they were passwordless

The malicious payload also used TruffleHog to extract secrets from source code repositories available in the infected system. Consider running TruffleHog and rotating any secrets found in infected systems.

Setup Guardrails

• Install SafeDep vet or similar tools to scan open source packages for malicious code before merging pull requests or deploying code.
• Install SafeDep pmg or similar tools to prevent installation of malicious packages in developer machines.
• Consider migrating to pnpm version 10+ that disables npm lifecycle scripts by default