Ddos 
The malicious supply chain campaign dubbed “Shai-Hulud” has struck again, this time compromising multiple npm packages published under the CrowdStrike publisher account. According to the Socket Research Team, the incident mirrors earlier attacks against popular packages such as TinyColor, but with a new set of high-profile targets.
Socket explains, “Multiple CrowdStrike npm packages published by the crowdstrike-publisher npm account were compromised, this looks like a continuation of the ongoing malicious supply chain campaign known as the ‘Shai-Hulud attack’ that previously compromised tinycolor and 40+ other packages.”
The malware injected into these packages is consistent with the previous Shai-Hulud campaign. Socket details, “The malware is identical to this previous campaign, which includes a bundle.js script that downloads and executes TruffleHog, a legitimate secret scanner; searches host systems for tokens and cloud credentials; validates discovered developer and CI credentials; creates unauthorized GitHub Actions workflows within repositories; and exfiltrates sensitive data to a hardcoded webhook endpoint.”
This persistence mechanism means that once infected repositories are modified, future CI/CD pipeline runs can continue leaking secrets.
The confirmed list of affected packages and versions includes:
- @crowdstrike/commitlint@8.1.1, 8.1.2
- @crowdstrike/falcon-shoelace@0.4.2
- @crowdstrike/foundry-js@0.19.2
- @crowdstrike/glide-core@0.34.2, 0.34.3
- @crowdstrike/logscale-dashboard@1.205.2
- @crowdstrike/logscale-parser-edit@1.205.1, 1.205.2
- @crowdstrike/logscale-search@1.205.2
- @crowdstrike/tailwind-toucan-base@5.0.2
- And many others, including related eslint, monorepo, and ember packages.
The widespread targeting suggests the attackers sought to compromise both internal CrowdStrike tooling and community-facing packages.
Socket identified key artifacts to aid defenders:
- Malicious file: bundle.js
- SHA-256 hash: 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
- Exfiltration endpoint: hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7
Additionally, researchers discovered nearly 700 GitHub repositories titled “Shai-Hulud Migration”, likely linked to attacker automation. Socket notes, “While the precise role of these repos is still under investigation, their naming and timing suggest they may be artifacts of attacker automation used to persist or stage the workflow.”
Related Posts:
- Linux Users Hit by CrowdStrike Fallout: Kernel Panics Reported
- CrowdStrike Data Leak Claims Spark Concern, Hacktivist Credibility Questioned
- Windows Endpoint Security Summit: Microsoft and CrowdStrike Unite to Protect Critical Infrastructure
- Recruitment Scam Targets Job Seekers with Fake CrowdStrike Branding
- Widespread Outage: CrowdStrike Update Affects 8.5 Million Windows Users
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
