Return of the “Shai-Hulud” Worm

Veracode is aware of and responding to on ongoing spam campaign as well as what appears to be a reemergence of the “Shai-Hulud” worm we recently reported on. This time the malicious file is bun_environment.js. Our team are busy working on identifying and blocking this malware as it emerges. So far several NPM accounts appear to have been compromised e.g. @asyncapi and @posthog to name a few.

Veracode Customers Remain Protected 

Veracode customers using Package Firewall are shielded from these threats, with the Package Firewall preventing both server- and browser-targeted malware from reaching the SDLC. Customers can also use Software Composition Analysis (SCA) to detect the usage of these malicious packages. 

Veracode’s Supply Chain offerings are designed to protect our customers from these types of attacks with: 

1. Proactive Threat Monitoring: The Veracode Threat Research Team continuously tracks open-source activity. Automated detection and expert analysis quickly identify anomalous publishing behavior, code obfuscation, and indicators of malware. 
2. Immediate Blocking: Once a package is confirmed to be malicious, it is programmatically blocklisted. Veracode Package Firewall prevents vulnerable or compromised packages including those from the chalk, debug, and DuckDB campaigns from being installed in customer environments. 
3. Policy Enforcement: Customers maintain strict controls over allowable packages. Policies enforced by Veracode automatically block introductions of newly compromised packages and prevent execution of malicious scripts. 
4. Expert Guidance: The team continuously issues updates and actionable recommendations to help organizations respond quickly and confidently when new supply chain threats emerge. 

NPM Attacks Conclusion: Stay Ahead of Advanced Threats 

These recent npm attacks are a wakeup call: supply chain risks are increasing in scale and complexity. Attackers now target not only servers, but also browsers and end users, through high-trust dependencies. Standard reactive security is no longer sufficient. 

Veracode empowers you to adopt a proactive, defense-ready stance, protecting your developers, your users, and your business from the next wave of sophisticated supply chain attacks.

Reach out to learn more.