Shai-Hulud: How Scribe prevents supply chain attacks

Yet again, we see that if you've created a mechanism to monitor and archive SBOMs and dependencies, you are better equiped to mitigate bad stuff, when it happens.

CrowdStrike is back in the spotlight following recent headlines like "CrowdStrike Hacked." What really happened? 🤔 The crowdstrike-publisher npm account for CrowdStrike was compromised as part of the ongoing "Shai-Halud" supply chain attack, which is similar to the earlier TinyColor incident. Attackers published malicious versions of several packages that included a bundle.js script (SHA-256: 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09) 📦. This malware employs TruffleHog to scan for exposed secrets 🔍, validates them, creates unauthorized GitHub Actions for persistence, and exfiltrates data to a webhook 🌐. The following packages and their affected versions were identified: | Package Name | Affected Version(s) | |-------------------------------|-------------------------| | @crowdstrike/commitlint | 8.1.1, 8.1.2 | | @crowdstrike/falcon-shoelace | 0.4.2 | | @crowdstrike/foundry-js | 0.19.2 | | @crowdstrike/glide-core | 0.34.2, 0.34.3 | | @crowdstrike/logscale-dashboard | 1.205.2 | | @crowdstrike/logscale-file-editor | 1.205.2 | | @crowdstrike/logscale-parser-edit | 1.205.1, 1.205.2 | | @crowdstrike/logscale-search | 1.205.2 | | @crowdstrike/tailwind-toucan-base | 5.0.2 | In response, npm removed the compromised packages 🚫, and CrowdStrike rotated their keys 🔑. They conducted an investigation in collaboration with npm and confirmed that there was no impact on their Falcon platform (which is great news for the Falcon users). To mitigate risks, affected users should uninstall the compromised versions, audit their environments and CI/CD pipelines, rotate any exposed secrets, and keep an eye out for suspicious activity 👀. This incident has certainly cast doubt on the reliability of using open-source code and raised questions about the security of its ecosystem ⚠️. #CrowdStrike #Cybersecurity #Cybercrime More on: https://lnkd.in/dkuY2cNy

A new malware campaign abuses Azure Functions as a command and control backend. It uses a malicious ISO image with DLL side-loading for payload injection. The payload sends encrypted system metadata to an Azure-hosted server, profiling compromised hosts. The campaign spans multiple regions, with ongoing analysis uncovering advanced evasion and persistence techniques. https://lnkd.in/geAwKbGY

🚨 SECURITY ALERT: We're continuing to track the unfolding "Shai Hulud" #npm supply chain attack. This post highlights a new wave of compromises, with 31 additional malicious packages detected with a data exfiltrating payload. With new malicious packages still being uploaded continuously, it’s a powerful reminder of the need for real-time protection.

🚨 NEW APP SECURITY ALERT:🚨 Shai-Hulud npm supply chain attack – 164 new compromised packages detected by JFrog Security Researchers. Following the recent compromise of the nx packages and another wave targeting popular packages, the npm registry was once again attacked - marking its 3rd large-scale attack in recent weeks. At the time of this post, JFrog’s malware scanners have identified 164 unique malicious npm packages across 338 infected versions, containing multiple variations of the same data-stealer payload. Learn more and see the full list of compromised packages in our blog: https://lnkd.in/gjwgJjEB

🚨 SECURITY ALERT: This is an active and unfolding attack. The largest npm compromise in history is currently underway, and it's a major wake-up call for the entire open-source ecosystem. The fact that a phishing attack on a developer's token could compromise 164 unique packages with a data-stealer payload is a stark reminder of the risks. Check the link for the full list of compromised packages and the latest updates.

A self-replicating malware is on the loose in the npm ecosystem. Over 180 packages and 700+ versions were compromised, leaking developer tokens, exposing private GitHub repos, and automatically publishing new malicious packages. This attack, called Shai-Hulud, is one of the most advanced supply chain threats we’ve seen in open source to date. Our security research team breaks down how it spreads, what’s at risk, and, most importantly, what you should do now.

'MOST DANGEROUS IN HISTORY': The Shai-Hulud campaign is a sophisticated worm-style supply chain attack that has compromised hundreds of npm packages. Critically, the malware is worm-like: once attackers obtain credentials from one package, they use them to republish malicious versions of other packages maintained by the same persons, "expanding the compromise without manual intervention." It’s self-propagating across the npm ecosystem. This is a wake-up call for anyone who depends on open source: your supply chain can betray you before you even write a line of code. To prevent stuff like this, audit your repositories for persistence mechanisms by reviewing .github/workflows/ for suspicious files such as shai-hulud-workflow.yml or unexpected branches. Yes, trust your dependencies *but* verify aggressively. And assume compromise is possible until proven otherwise. https://lnkd.in/gwpZrRrR #auguryit #cysec

WHEN UPDATES BACKFIRE (DESPITE GOOD INTENTIONS): Researchers traced the exploit to a "race condition" triggered by rapid HTTP(S) requests, where barely timed headers let hackers impersonate the “crushadmin” user. The exploit went live shortly after a code update intended to fix an unrelated AS2 bug, unintentionally revealing the flaw to attackers. Over 30,000 installations were at risk; and as of late July, about 1,000 remained unpatched—even though fixes were available. This basically turned a housekeeping update into a zero-day weapon. And it highlights a vital lesson: even minor code changes can create major security gaps, and patching must be relentless. https://lnkd.in/ek_SWkkW #auguryit #zerodays #patching #security

🚨 Shai-Hulud Attack Recap 🚨 A worm-like npm campaign compromised popular packages, spreading malware across the software supply chain. The good news: Scribe’s continuous assurance platform let us confirm within hours that none of our customers were pulling compromised dependencies — and policy guardrails blocked risky updates automatically. Read how we shielded customers and what you can do to stay protected: https://lnkd.in/d5QKDmvW #SupplyChainSecurity #DevSecOps #SBOM #npm