GitLab discovers widespread npm supply chain attack
about.gitlab.com
Malware driving attack includes "dead man's switch" that can harm user data.

Publication croisée depuis https://programming.dev/post/41331208

"Upon execution, the malware downloads and runs TruffleHog to scan the local machine, stealing sensitive information such as NPM Tokens, AWS/GCP/Azure credentials, and environment variables.

The malicious code exfiltrates the stolen information by creating a GitHub Action runner named SHA1HULUD, and a GitHub repository description Sha1-Hulud: The Second Coming… This suggests it may be the same attacker behind the “Shai-Hulud” attack observed in September 2025.

And now, over 27,000 GitHub repositories were infected."

Other source with list of compromised package available

    • atmorous@lemmy.world
      4·
      7 months ago

      Every dev should be switching to Forgejo/Codeberg, & possibly Gitlab instead of Github for sure

    • corsicanguppy@lemmy.caEnglish
      1·
      7 months ago

      Only a risk to those using npm; doesn’t matter where they exercise those bad dev procedures. Don’t quit using GitHub if you’re already okay with all the other issues it has.

      • corsicanguppy@lemmy.caEnglish
        11·
        7 months ago

        The same can happen for maven, crates, gomods, and other.

        Yes.

        The problem is [intricate dependencies]

        Nah. Dependencies are fine. The method of bringing those in and validating them is where the supply-chain risk accumulates. We knew better when we still had mentors.

  • Jayjader@jlai.lu
    2·
    7 months ago

    I just searched on GitHub for "Sha1-Hulud: The Second Coming.": 692 repositories. On the first page of results I was able to find a repo clearly made by the malware, and in that repo I was able to find someone’s github token with a few applications of “decode from base64”.

    This is pretty bad. I don’t know what exactly comes next, an awareness campaign to get people to clean their infected machines and packages?