Shai-Hulud NPM supply chain attack

Description

A supply chain attack on NPM, named “Shai-Hulud”, occurred on the morning of September 16. Specifically, the library @ctrl/tinycolor, which averages 2.2 million weekly downloads, along with several other packages, was updated with a Trojan payload.

When executed, the malicious code scans the filesystem using Regex/TruffleHog to detect secrets and environment variables, and dumps process.env to extract access tokens for services such as GitHub, AWS, Azure, and GCP.

Affected Packages

• angulartics2@14.1.2
• ctrl/deluge@7.2.2
• ctrl/golang-template@1.4.3
• ctrl/magnet-link@4.0.4
• ctrl/ngx-codemirror@7.0.2
• ctrl/ngx-csv@6.0.2
• ctrl/ngx-emoji-mart@9.2.2
• ctrl/ngx-rightclick@4.0.2
• ctrl/qbittorrent@9.7.2
• ctrl/react-adsense@2.0.2
• ctrl/shared-torrent@6.3.2
• ctrl/tinycolor@4.1.1, @4.1.2
• ctrl/torrent-file@4.1.2
• ctrl/transmission@7.3.1
• ctrl/ts-base32@4.0.2
• encounter-playground@0.0.5
• json-rules-engine-simplified@0.2.4, 0.2.1
• koa2-swagger-ui@5.11.2, 5.11.1
• nativescript-community/gesturehandler@2.0.35
• nativescript-community/sentry 4.6.43
• nativescript-community/text@1.6.13
• nativescript-community/ui-collectionview@6.0.6
• nativescript-community/ui-drawer@0.1.30
• nativescript-community/ui-image@4.5.6
• nativescript-community/ui-material-bottomsheet@7.2.72
• nativescript-community/ui-material-core@7.2.76
• nativescript-community/ui-material-core-tabs@7.2.76
• ngx-color@10.0.2
• ngx-toastr@19.0.2
• ngx-trend@8.0.1
• react-complaint-image@0.0.35
• react-jsonschema-form-conditionals@0.3.21
• react-jsonschema-form-extras@1.0.4
• rxnt-authentication@0.0.6
• rxnt-healthchecks-nestjs@1.0.5
• rxnt-kue@1.0.7
• swc-plugin-component-annotate@1.9.2
• ts-gaussian@3.0.6
• Other packages that depend on or include these affected modules may also be impacted.

Remediation Steps

• Audit all project dependencies and system packages to identify any use of the compromised versions.
• Uninstall or pin affected packages to the last known safe versions prior to the malicious update.
• Rotate NPM tokens and other credentials if any of the compromised packages were installed on machines with publish access.

References

• https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages
• https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised