Threat Level Description

IthacaLabs has maintained the Threat Level (High) adding a new observation:

An attack is highly likely. Addressing the broad nature of the threat in order to reach an acceptable risk level, requires additional and sustainable protective security measures combined with specific business and geographical vulnerabilities and judgments.

Description

We have observed that a new sophisticated supply chain campaign targeting the npm ecosystem, part of an emerging campaign known as Shai Hulud 2.0, has been identified.

Shai Hulud 2.0 leverages malicious versions of legitimate npm packages that were modified by attackers following the compromise of maintainer accounts. Npm packages are reusable software components within the Node.js ecosystem that organizations commonly rely on to build and enhance applications.

Once these compromised packages are installed, embedded preinstall scripts execute to harvest credentials and secrets, including GitHub tokens, cloud provider credentials, and CI or CD authentication details. The stolen credentials are then used to create unauthorized public repositories and exfiltrate data, enabling automated and rapid propagation across development environments.

This campaign represents a significant escalation in attacker sophistication. By combining supply chain compromise, automated credential theft, and worm like behaviour, the threat achieves persistence, stealth, and broad operational impact. Organizations using npm packages, especially within automated build pipelines or CI or CD environments, may face heightened exposure to this threat.

Our Advisory and Managed Services, including our Security Operations and Technology Resilience lines, can help safeguard your organization against such threats.

Through proactive monitoring, threat detection, and incident response, our services are designed to keep your systems secure, resilient, and prepared for evolving cyber risks. We advise all organizations to remain vigilant and regularly review their cybersecurity

Recommendation(s):

• Review all project dependencies and lockfiles to identify any compromised or suspicious npm packages or versions.
• Remove or replace any known bad packages and perform a clean reinstall of all dependencies.
• Rotate all credentials including npm tokens, GitHub tokens, SSH keys, cloud provider keys, and CI or CD secrets.
• Audit GitHub and other repository hosting environments for suspicious activity such as unauthorized repositories, unexpected commits, or irregular automation behaviour.
• Harden build and deployment pipelines by restricting lifecycle script execution, limiting outbound network access, and enforcing the use of short lived and scoped automation tokens.
• Implement strict package supply chain controls including dependency scanning, allow listing, and continuous monitoring for unexpected version changes.
• Ensure incident response teams are prepared to investigate potential exposure by collecting logs from developer systems, build servers, and CI or CD runners and isolating any affected environments.

Threat Level Description:

Threat Level: High – An attack is highly likely. Addressing the broad nature of the threat in order to reach an acceptable risk level, requires additional and sustainable protective security measures combined with specific business and geographical vulnerabilities and judgments.

References:

• Shai-Hulud 2.0 Supply Chain Attack: 25K+ Repos Exposing Secrets
• The Shai-Hulud 2.0 npm worm: analysis, and what you need to know
• GitLab discovers widespread npm supply chain attack