LONDON (IT BOLTWISE) – A new wave of supply chain attacks known as Shai-Hulud 2 has put the developer community on alert. These attacks, which affect both the npm and Maven ecosystems, aim to steal sensitive data such as API keys and cloud credentials. The threat has proven particularly insidious and difficult to detect.
Today’s daily deals at Amazon! ˗ˋˏ$ˎˊ˗
The recent wave of Shai Hulud supply chain attacks has left the developer community worldwide in turmoil. After over 830 packages in the npm registry were already compromised, the attack has now expanded to the Maven ecosystem. The attack aims to steal sensitive data such as API keys, cloud credentials and GitHub tokens to facilitate deeper supply chain compromise in a worm-like pattern.
Security firm Socket Research Team has identified a Maven Central package called org.mvnpm:posthog-node:4.18.1 that contains the same components as the Shai-Hulud attacks. These components, the setup_bun.js loader and the main payload bun_environment.js, were found in both the JavaScript/npm and Java/Maven environments. Interestingly, the Maven Central package is not published by PostHog itself, but is created through an automated process that rebuilds npm packages as Maven artifacts.
The attack exploits vulnerabilities in existing GitHub Actions workflows, particularly the pull_request_target and workflow_run workflows. These vulnerabilities allow attackers to execute code provided by new pull requests, which can lead to rapid spread of the attack. Over 28,000 repositories have already been affected, and the attackers have managed to upload more than 5,000 files with stolen secrets to GitHub.
Experts advise developers to rotate all tokens and keys, check all dependencies and remove compromised versions. It is recommended to harden the developer and CI/CD environments with minimum access, secret scanning, and automated policy compliance. These attacks demonstrate how easy it is for attackers to exploit trusted software distribution paths to distribute malicious versions at scale and compromise thousands of developers.
Order an Amazon credit card without an annual fee with a credit limit of 2,000 euros!
Bestseller No. 1 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 2 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 3 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 4 ᵃ⤻ᶻ «KI Gadgets»
Bestseller No. 5 ᵃ⤻ᶻ “KI Gadgets”
Please send any additions and information to the editorial team by email to de-info[at]it-boltwise.de. Since we cannot rule out AI hallucinations, which rarely occur with AI-generated news and content, we ask you to contact us via email and inform us in the event of false statements or misinformation. Please don’t forget to include the article headline in the email: “Shai-Hulud 2: New wave of supply chain attacks threatens developers”.