Uhlaselo lwesibini kwiipakethi kwindawo yokugcina ye-NPM ifunyenwe, kusetyenziswa ukuguqulwa kwe-self-propagating worm Shai-Hulud ofaka i-malware kwizinto ezixhomekeke kuzo. Olu hlaselo lukhokelele ekupapashweni kokukhutshwa okukhohlakeleyo kweepakethe ezingama-605, ngokudibeneyo kunye nokukhutshelwa okungaphezulu kwezigidi ezili-100.
Ukwenza uhlaselo, abahlaseli basebenzise i-phishing ukuze babambe iziqinisekiso zomgcini-akhawunti wephakheji eyaziwayo esetyenziswa njengokuxhomekeka kwezinye iipakethe ezininzi. Ukusebenzisa i-akhawunti ephangiweyo, abahlaseli bapapashe ukukhutshwa kwephakheji equkethe ikhowudi eyenza i-worm isebenze xa iphakheji echaphazelekayo ifakwe njengokuxhomekeka. Nje ukuba iqaliswe, intshulube ikhangela indawo ekhoyo ngoku iziqinisekiso, ikhuphela kwaye isebenzise into eluncedo yeTruffleHog.
Ukuba ithokheni yoqhagamshelo lukavimba weefayili ze-NPM ichongiwe, intshulube ipapasha ngokuzenzekelayo ukhupho olutsha olulunya lweepakethe eziphuhliswe kwimeko-bume yangoku. Eli khonkco losulela umthi wonke wokuxhomekeka. Ukongeza kwithokheni ye-NPM, i-worm igcina izitshixo zokufikelela kwi-GitHub kunye ne-AWS, i-Azure, kunye ne-GCP (i-Google Cloud Platform) iinkonzo zefu zefu, kunye nokuguquguquka kokusingqongileyo kunye nezinye iinkcukacha ezibucayi ezibonwa yi-TruffleHog scanner.
Idatha enovakalelo efunyenwe kwinkqubo ibekwe kwi-GitHub ngokwenza iindawo zokugcina ezinamagama angaqhelekanga (umzekelo, "qzx15djl71alh6p80h") kunye nebinzana elithi "Sha1-Hulud: Ukuza kweSibini" kwinkcazo. Idatha iphinde ibethelwe kwaye iphume kwi-GitHub Actions logs. Uvimba owenziweyo uqulethe ifayile ye-JSON (umzekelo, i-jsonactionsSecrets.json okanye iziqulatho.json) equlethe umtya oqulethe ulwazi lwenkqubo ye-base64-encoded, ukuguquguquka kokusingqongileyo, kunye nedatha efakiweyo. Ukunxibelelana ngolwazi ngaphandle kwe-GitHub-based based integration systems, i-worm idala i-GitHub Actions handler ebizwa ngokuthi ".github/workflows/formatter_123456789.yml" kwaye iqulunqe imbaleki egama lingu-SHA1HULUD.
Umahluko ukusuka kuhlaselo olufanayo lukaSeptemba ubilisa kwindlela eyahlukileyo yokufaka ikhowudi ekhohlakeleyo kwiphakheji. Ukukhutshwa okukhohlakeleyo okwenziwa libango lembungu ukuxhasa iqonga leBun JavaScript. Umyalelo othi "node setup_bun.js" yongezwa kwicandelo elithi "preinstall" lefayile ye-package.json, echaza izikripthi ezimele ziqhutywe phambi kofakelo.
Ifayile ethi "setup_bun.js" iqulethe ikhowudi yokuphumeza iscript esibhalwe "bun_environment.js", esiqulethe ikhowudi yombungu. Ukusasaza, intshulube ifumana ikhowudi yephakheji, ilungise iphakheji.json ifayile (inyusa inombolo yoguqulelo kwaye iquka umnxeba oya kwi-setup_bun.js), yongeza i-setup_bun.js kunye neefayile ze-bun_environment.js, ipakisha kwakhona ipakethe, kwaye iphumeze umyalelo we-"npm publish" ukukhupha ifayile entsha.
Iipakethe ezithandwayo ezisengozini zibandakanya: @zapier/zapier-sdk (2.8 yezigidi ezikhutshelweyo ngeveki), @posthog/core (2.8 million), posthog-node (1.5 million), @asyncapi/specs (1.4 million), kunye @postman/tunnel-agent (1.2 million). Uhlaselo lukholelwa ukuba luqale ngokuthobela umgcini wephakheji, @asyncapi/specs.
umthombo: opennet.ru
