A year after a glitch at cybersecurity company CrowdStrike triggered a global computer outage affecting millions of computers, the software vendor is being forced to contain a new threat: a swarm of self-replicating worms.
As first reported by investigative cybersecurity journalist Brian Krebs, CrowdStrike once again became the launchpad for a potentially debilitating security hazard when some 25 code packages were compromised by a novel strand of malware.
Dubbed “Shai-Hulud,” the malicious software is designed to slip into developer machines through the JavaScript repository “Node Package Manager” (NPM), a widely used database of software modules and coding tools. According to Krebs, once the malware nabs credentials from an infested computer, it publishes its finds to a public file on GitHub, which includes the name “Shai-Hulud” — the mythic sandworm from Frank Herbert’s 1965 sci-fi novel “Dune.”
What makes Shai-Hulud particularly devastating is that every time an unsuspecting developer installs an infected module from NPM, the worm searches their system for “access tokens” — a way to download NPM content without a username or password — and infects the 20 most popular packages associated with that person’s account.
“This creates a cascading effect where an infected package leads to compromised maintainer credentials, which in turn infects all other packages maintained by that user,” said StepSecurity researcher Ashish Kurmi.
In a breakdown of the attack, software engineer Karlo Zanki of ReversingLabs called Shai-Hulud a “first of its kind self-replicating worm.”
So far, Kreb says that at least 187 NPM modules have been affected, including the 25 managed by CrowdStrike. Intriguingly, the worm is designed to assume its victim is operating a computer with a Linux or Mac operating system, and to “deliberately skip” Windows PCs.
NPM and CrowdStrike quickly removed the infected packages, which has slowed the worm’s spread.
“After detecting several malicious NPM packages in the public NPM registry, a third-party open source repository, we swiftly removed them and proactively rotated our keys in public registries,” a CrowdStrike representative told The Hacker News.
Charlie Eriksen, a researcher at security firm Aikido, put it in even starker terms in an interview with Krebs.
“I would think of this attack as a ‘living’ thing almost, like a virus,” he warned. “Because it can lay dormant for a while, and if just one person is suddenly infected by accident, they could restart the spread. Especially if there’s a super-spreader attack.”
More on cybersecurity: Man’s Entire Life Destroyed After Downloading AI Software
Share This Article