Wiz has published the results of an analysis of traces of the Shai-Hulud 2 worm, which led to the release of more than 800 malicious packages totaling over 100 million downloads in the NPM repository. Once the affected package is installed, the worm starts searching for confidential data, releasing new malicious packages, and making the discovered data publicly available by creating repositories on GitHub.
Over 30 thousand repositories containing intercepted data have been identified on GitHub, with 70% containing a content.json file, 50% containing a truffleSecrets.json file, and 80% containing an environment.json file with access keys and sensitive data. Additionally, around 400 actionsSecrets.json files were found with keys for executing GitHub Actions.
The contents.json files contained more than 500 unique credentials for GitHub connections, while truffleSecrets.json files revealed confidential data collected by the TruffleHog utility, totaling over 400 thousand unique records.
The report warns that the exposed confidential information could lead to further attacks, as shown by the fact that 60% of NPM access tokens captured by the worm remain valid.
The analysis also found that 23% of worm launches occurred on developer computers, with the remaining 77% in continuous integration system environments. Most systems affected were Linux-based containers, with the majority of infections linked to specific packages such as @postman/tunnel-agent-0.6.7 and @asyncapi/specs-6.8.3.
The worm was typically activated by running the “node setup_bun.js” command in the preinstall section of the package.json file. The report highlights the critical need for heightened security measures to prevent similar attacks in the future.