- Exfiltrated the harvested credentials to an endpoint controlled by the actor.
- Uploaded the credentials to a public repository named Shai-Hulud via the GitHub/user/repos API.
- Leveraged an automated process to rapidly spread by authenticating to the npm registry as the compromised developer, injecting code into other packages, and publishing compromised versions to the registry.
- GitHub: Our plan for a more secure npm supply chain
- Palo Alto Networks Unit 42: Shai-Hulud Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 18)
- Socket: Updated and Ongoing Supply Chain Attack Targets CrowdStrike npm Packages
- ReversingLabs: Malware found on npm infecting local package with reverse shell
