Shai Hulud launches second supply-chain attack(aikido.dev)
aikido.dev
Shai Hulud launches second supply-chain attack
https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
25 comments
This looks really interesting, but it sounds like it's as complicated to setup as rootless Podman — which is to say not _that_ complicated. Anyone using this with Node or Deno successfully?
From my bookmarks (2023): https://news.ycombinator.com/item?id=36686461
Lovely. Thank you very much!
Python script to check if any of your repos have the listed compromised packages in pnpm or npm lock files:
https://chatgpt.com/s/t_6924b232a8f88191a146a510c6631143
https://chatgpt.com/s/t_6924b232a8f88191a146a510c6631143
We made a script to avoid such situations. It checks the dependencies, just by parsing the package.json (or the lock file), checking the relevant time on npm registry, and returns error if it finds a too fresh package added.
We run it on CI for each commit/PR, and if a developer tries to commit a change that updates a JS dependency to a too recent it prevents the build from running, and so on. Basically we expect that a Supply Chain attacks on NPM would be noticed in a couple of week, and we enforce this time window to our code.
See https://github.com/emeraldpay/paranoid.js
We run it on CI for each commit/PR, and if a developer tries to commit a change that updates a JS dependency to a too recent it prevents the build from running, and so on. Basically we expect that a Supply Chain attacks on NPM would be noticed in a couple of week, and we enforce this time window to our code.
See https://github.com/emeraldpay/paranoid.js
[deleted]
[dupe] Discussion: https://news.ycombinator.com/item?id=46032539
Typo in title. Current title of HN post says:
> SHA1-Hulud the Second Comming – Postman, Zapier, PostHog All Compromised via NPM
Should be Shai-Hulud, not SHA1-Hulud.
> SHA1-Hulud the Second Comming – Postman, Zapier, PostHog All Compromised via NPM
Should be Shai-Hulud, not SHA1-Hulud.
The worm itself is posting the secrets in Github with the name Sha1-hulud: https://github.com/search?q=sha1-hulud&type=repositories
Yikes. AWS secrets galore in the couple I decoded (double base64)...
I'm surprised github is leaving these up.
I'm surprised github is leaving these up.
At this point it likely helps the defenders more than those that would use them doesn't it?
I am guessing they don't intend to and will be removing them with urgency.
[deleted]
Also "coming" only has one "m". Or is this some kind of pun?
I don't know why you were downvoted. The actual page does not say SHA1, the attack as far as I know is not related to the SHA1 algorithm, and the name of the worm isn't intended as that sort of pun.
Dup https://news.ycombinator.com/item?id=46032539
[edit: not a dup!]
Ok, we've merged the (relevant) comments thither. Thanks!
Edit: Here's a bit of explanation for those curious. Even though the links are different, the test we use for whether to merge threads is whether they are substantially the same story vs. whether the two links will lead to substantially different discussion. In this case it's clear that it's the same discussion, so I merged them.
Since the second link has additional information, I've added it to the toptext of the original post. That way people can look at both.
Edit: Here's a bit of explanation for those curious. Even though the links are different, the test we use for whether to merge threads is whether they are substantially the same story vs. whether the two links will lead to substantially different discussion. In this case it's clear that it's the same discussion, so I merged them.
Since the second link has additional information, I've added it to the toptext of the original post. That way people can look at both.
This article has quite a bit more information though.
Thanks—I've added this link to the toptext at https://news.ycombinator.com/item?id=46032539.
Please use the word "Dup" for a resubmission of the same link and "See also" for a different submission.
Not a dup, this is a different article about the same event, with different information too.
See also: https://news.ycombinator.com/item?id=46032539 Shai-Hulud Returns: Over 300 NPM Packages Infected (helixguard.ai)
~6 hours ago | 430 comments
~6 hours ago | 430 comments
[1] https://github.com/containers/bubblewrap