Shai Hulud launches second supply-chain attack

https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains

352•birdculture•2mo ago

Comments

benzible•2mo ago

Dup https://news.ycombinator.com/item?id=46032539 [edit: not a dup!]

swsieber•2mo ago

This article has quite a bit more information though.

dang•2mo ago

Thanks—I've added this link to the toptext at https://news.ycombinator.com/item?id=46032539.

thih9•2mo ago

Not a dup, this is a different article about the same event, with different information too.

a4isms•2mo ago

Please use the word "Dup" for a resubmission of the same link and "See also" for a different submission.

neogodless•2mo ago

See also: https://news.ycombinator.com/item?id=46032539 Shai-Hulud Returns: Over 300 NPM Packages Infected (helixguard.ai)

~6 hours ago | 430 comments

dang•2mo ago

Ok, we've merged the (relevant) comments thither. Thanks!

Edit: Here's a bit of explanation for those curious. Even though the links are different, the test we use for whether to merge threads is whether they are substantially the same story vs. whether the two links will lead to substantially different discussion. In this case it's clear that it's the same discussion, so I merged them.

Since the second link has additional information, I've added it to the toptext of the original post. That way people can look at both.

QuantumNomad_•2mo ago

Typo in title. Current title of HN post says:

> SHA1-Hulud the Second Comming – Postman, Zapier, PostHog All Compromised via NPM

Should be Shai-Hulud, not SHA1-Hulud.

adzm•2mo ago

That said, the secrets are uploaded to a repo named `Sha1-Hulud: The Second Coming`

zahlman•2mo ago

Ah, I missed that detail.

zahlman•2mo ago

I don't know why you were downvoted. The actual page does not say SHA1, the attack as far as I know is not related to the SHA1 algorithm, and the name of the worm isn't intended as that sort of pun.

pezezin•2mo ago

The worm itself is posting the secrets in Github with the name Sha1-hulud: https://github.com/search?q=sha1-hulud&type=repositories

cyberpunk•2mo ago

Yikes. AWS secrets galore in the couple I decoded (double base64)...

I'm surprised github is leaving these up.

galangalalgol•2mo ago

At this point it likely helps the defenders more than those that would use them doesn't it?

meowface•2mo ago

I am guessing they don't intend to and will be removing them with urgency.

AlexandrB•2mo ago

Also "coming" only has one "m". Or is this some kind of pun?

ChrisArchitect•2mo ago

[dupe] Discussion: https://news.ycombinator.com/item?id=46032539

welder•2mo ago

Python script to check if any of your repos have the listed compromised packages in pnpm or npm lock files:

https://chatgpt.com/s/t_6924b232a8f88191a146a510c6631143

artisin•2mo ago

Worth mentioning that Bubblewrap[1] (bwrap) can remove most npm/node attack vectors or, at the very least, limit the damage from running arbitrary code during install/execution. Far from a silver bullet, and you'll want to combine it with a simple wrapper script to avoid dinking around with all its arguments, but it beats dealing with rootless Podman containers.

[1] https://github.com/containers/bubblewrap

port11•2mo ago

This looks really interesting, but it sounds like it's as complicated to setup as rootless Podman — which is to say not _that_ complicated. Anyone using this with Node or Deno successfully?

bunnybender•2mo ago

From my bookmarks (2023): https://news.ycombinator.com/item?id=36686461

port11•2mo ago

Lovely. Thank you very much!

splix•2mo ago

We made a script to avoid such situations. It checks the dependencies, just by parsing the package.json (or the lock file), checking the relevant time on npm registry, and returns error if it finds a too fresh package added.

We run it on CI for each commit/PR, and if a developer tries to commit a change that updates a JS dependency to a too recent it prevents the build from running, and so on. Basically we expect that a Supply Chain attacks on NPM would be noticed in a couple of week, and we enforce this time window to our code.

See https://github.com/emeraldpay/paranoid.js

RFCs vs. READMEs: The Evolution of Protocols

Kanchipuram Saris and Thinking Machines

Chinese chemical supplier causes global baby formula recall

I've used AI to write 100% of my code for a year as an engineer

Looking for 4 Autistic Co-Founders for AI Startup (Equity-Based)

AI-native capabilities, a new API Catalog, and updated plans and pricing

What changed in tech from 2010 to 2020?

From Human Ergonomics to Agent Ergonomics

Advanced Inertial Reference Sphere

Toyota Developing a Console-Grade, Open-Source Game Engine with Flutter and Dart

Typing for Love or Money: The Hidden Labor Behind Modern Literary Masterpieces

Show HN: A longitudinal health record built from fragmented medical data

CoreWeave's $30B Bet on GPU Market Infrastructure

Creating and Hosting a Static Website on Cloudflare for Free

"The Stanford scam proves America is becoming a nation of grifters"

Elon Musk on Space GPUs, AI, Optimus, and His Manufacturing Method

X (Twitter) is back with a new X API Pay-Per-Use model

Zlob.h 100% POSIX and glibc compatible globbing lib that is faste and better

Show HN: Deterministic signal triangulation using a fixed .72% variance constant

Scientists Discover Levitating Time Crystals You Can Hold, Defy Newton’s 3rd Law

When Michelangelo Met Titian

Solving NYT Pips with DLX

Baldur's Gate to be turned into TV series – without the game's developers

Interview with 'Just use a VPS' bro (OpenClaw version) [video]

EchoJEPA: Latent Predictive Foundation Model for Echocardiography

Disablling Go Telemetry

Effective Nihilism

The UK government didn't want you to see this report on ecosystem collapse

No 10 blocks report on impact of rainforest collapse on food prices

Seedance 2.0 Is Coming