- Red Hat npm packages compromised with Mini Shai-Hulud variant
- Attackers target GitHub secrets and cloud credentials
- Copycat worm shows themed but similar tradecraft
Numerous Red Hat npm packages were recently compromised and tainted with a variant of the Mini Shai-Hulu worm, targeting GitHub Actions secrets, npm tokens, and other valuable information. Thousands of developers and projects are potentially at risk.
Recently, a single Red Hat employee has had their GitHub account compromised. The miscreants used the access to infiltrate, and then compromise, dozens of npm packages.
Wiz, for example, identified 32 packages so far, which receive around 80,000 downloads a week. Socket, on the other hand, claims to have identified 95 packages. Both outfits confirmed that the attack is currently ongoing, and hinted that the number of infected packages will probably grow even bigger.
TeamPCP copycats
All of the packages were published under the Red Hat Cloud Services namespace. The company confirmed the attack to The Register, and said it removed the compromised content. “The packages are strictly limited to internal development, and the malicious code was never published for customer consumption via the console.redhat.com system. While our investigation is ongoing, we have not identified any impact to customer or partner environments or Red Hat production systems.”
Socket says the attackers are going after people’s GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault material, SSH keys, Git credentials, and other sensitive files. “It also includes encrypted exfiltration logic and GitHub-based fallback mechanisms, indicating that the attacker was not only attempting to steal credentials, but also potentially enable further supply chain propagation.”
Originally, the group behind the Mini Shai-Hulud attack was TeamPCP. However, they open-sourced the worm, resulting in the emergence of copycats and other threat actors employing a similar strategy. Miniature, cosmetic changes seen in this campaign, point to one such group.
Wiz claims all references to the Dune universe were replaced by Greek mythology themes, but apart from that, the underlying functionality and tradecraft “remain substantially similar”. One notable difference in this worm is collecting Google Cloud Platform and Microsoft Azure identities, as well as all the identities that the infected machine has access to.
Via The Register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/VsnoQAEmxjEvebB3dyY9Pj-2560-80.jpg
Source link
