Over 170 packages throughout a number of high-profile NPM and PyPI initiatives had been compromised in a brand new, coordinated Mini Shai-Hulud software program provide chain assault.
The marketing campaign hit 42 TanStack packages, 65 UiPath packages, Mistral AI’s PyPi packages, the OpenSearch JavaScript shopper, over a dozen Squawk packages, the Guardrails AI PyPI package deal, and different fashionable modules.
TeamPCP, the notorious hacking group that orchestrated a number of provide chain assaults throughout a number of open supply software program ecosystems over the previous few months, was blamed for the marketing campaign.
Useless-drop commit department names used within the assault are taken from Frank Herbert’s Dune saga, and the malware’s repositories have the “Shai-Hulud: Right here We Go Once more” description.
The identical as in earlier campaigns, the Mini Shai-Hulud worm targets delicate data, together with developer credentials, API keys, tokens, cloud credentials and secrets and techniques, cryptocurrency wallets, and secrets and techniques related to AI instruments and messaging purposes.
It makes an attempt to propagate by utilizing compromised NPM and GitHub Actions tokens to publish malicious variations of the packages the sufferer has write entry to.
The malware was additionally noticed putting in a persistent daemon to ballot GitHub each minute, to confirm for token revocation, and checking the system language to keep away from infecting Russian customers, cybersecurity agency Wiz notes.
The TanStack assault
The brand new provide chain marketing campaign was flagged shortly after malicious package deal artifacts had been revealed by the professional TanStack launch pipeline, and was then noticed spreading to further packages.
Not like earlier TeamPCP intrusions, which relied on stolen secrets and techniques to compromise accounts and modify packages, the TanStack assault chained three identified safety weaknesses to launch 84 malicious artifacts throughout 42 packages.
The attackers staged their payload in a GitHub fork, injected the payload into revealed NPM tarballs, after which hijacked the challenge’s CI/CD pipeline to publish the packages on to NPM, exploiting the ambient OIDC token within the workflow to bypass the workflow’s personal publish step, StepSecurity explains.
“The attacker chained three identified vulnerability lessons — a pull_request_target ‘Pwn Request’ misconfiguration, GitHub Actions cache poisoning throughout the fork↔base belief boundary, and runtime reminiscence extraction of the OIDC token from the Actions runner course of,” TanStack explains in a autopsy.
In line with Wiz, the attackers renamed their TanStack/router repository fork to zblgg/configuration, then opened a pull request to set off the pull_request_target workflow, which executed the attackers’ code and poisoned the GitHub Actions cache.
“When professional maintainer PRs had been later merged to foremost, the discharge workflow restored the poisoned cache. Attacker-controlled binaries then extracted OIDC tokens immediately from the GitHub Actions runner’s course of reminiscence,” Wiz explains.
The stolen GitHub OIDC token permits the attackers to acquire a signing certificates and make the malicious packages seem as having a sound SLSA provenance. Thus, the packages had been revealed beneath a trusted id.
“SLSA provenance is a cryptographic certificates, generated by Sigstore, that’s meant to confirm a package deal was constructed from a trusted supply. The worm was capable of produce these certificates as a result of it hijacked the professional construct pipeline itself,” Snyk notes.
By exploiting this mechanism, the attackers revealed two malicious variations of every of the 42 TanStack packages.
The payload
Throughout all compromised TanStack packages, the identical 2.3 MB implant (router_init.js) was injected immediately into the package deal tarball.
The obfuscated single-line JavaScript file comprises a multi-stage credential stealer that performs information harvesting and exfiltration, achieves persistence, and may self-destruct.
In line with Socket, the implant first fingerprints the setting (working system, CI platform, and JavaScript runtime), packs completely different credential harvest paths for Linux and macOS, and performs a web-based lookup, more likely to check community reachability.
“It systematically sweeps each main secrets and techniques airplane out there inside fashionable cloud-native CI environments, utilizing each direct setting variable reads and energetic API calls,” Socket explains.
Stolen credentials are exfiltrated by way of three channels: the https://git-tanstack[.]com area, Session community (encrypted exfiltration by way of *.getsession.org), and Dune-themed GitHub repositories created utilizing stolen tokens.
“The Session community channel is new. Decentralized and takedown-resistant, it’s considerably tougher to disrupt than devoted domains or GitHub-based exfiltration,” Wiz notes.
For NPM propagation, the worm exploits the GitHub Actions OIDC federation mechanism “to mint a sound NPM publish token on behalf of the compromised CI id,” Socket explains.
Moreover, the worm makes use of the GitHub GraphQL API to commit copies of itself to the branches of the compromised maintainers’ supply repositories. The commit creator is spoofed to impersonate the Anthropic Claude Code GitHub App.
The Python variant
Malicious variations of the Guardrails AI and Mistral AI PyPI packages contained a unique payload than the NPM one, Wiz says.
The Guardrails AI package deal contained 13 traces of latest code designed to fetch and execute a non-obfuscated payload from git-tanstack[.]com.
The payload is a modular credential stealer that might solely execute on Linux programs. The malware harvests intensive credentials and, for the primary time, additionally targets password managers similar to 1Password and Bitwarden.
When executed on programs with Israel or Iran locales, the malware would try and play an MP3 file at full quantity and to delete the recordsdata on the system.
170+ affected packages
What makes the most recent TeamPCP provide chain assault notable is the abuse of provenance attestation to publish malicious packages which might be indistinguishable from professional ones, Snyk notes.
In whole, on Might 11, the marketing campaign hit over 170 packages throughout a number of high-profile initiatives. At the very least 401 malicious package deal artifacts had been revealed inside a five-hour window, SafeDep says.
Among the affected packages, similar to these within the TanStack namespace, have thousands and thousands of weekly downloads. The TanStack Router package deal is utilized in purposes throughout React, Vue, and Stable.
TeamPCP compromised the official Mistral AI packages throughout three distribution channels: the core SDK, the Azure integration, and the GCP integration. Three malicious variations of every had been revealed.
The attackers hit 65 UiPath NPM packages, publishing 65 malicious variations throughout all the automation platform. The official OpenSearch JavaScript shopper was additionally compromised, and the attackers revealed 5 malicious variations of 20 Squawk packages.
Customers are suggested to examine if any compromised model of the affected packages reached their environments, clear up their programs, and rotate all probably compromised credentials and secrets and techniques.
They need to additionally audit GitHub Actions OIDC configurations and pull_request_target workflows for cache poisoning, and implement behavioral evaluation at set up time as a further safety mechanism alongside provenance verification, Snyk notes.
Associated: Checkmarx Jenkins AST Plugin Compromised in Provide Chain Assault
Associated: Construct Software Firewalls Intention to Cease the Subsequent Provide Chain Assault
Associated: SailPoint Discloses GitHub Repository Hack
Associated: Vendor Says Daemon Instruments Provide Chain Assault Contained
