Trojanized npm packages spread new variant that executes in pre-install phase, hitting thousands within days

A self-propagating malware targeting node package managers (npm) is back for a second round, according to Wiz researchers who say that more than 25,000 developers had their secrets compromised within three days.

The affected packages include those provided by Zapier, AsyncAPI, ENS Domains, PostHog, and Postman, several of which have thousands of weekly downloads.

The campaign, dubbed "Shai-Hulud" for the frequent references to the Dune worm in published data, first emerged in September. 

The wormable malware spread via compromised npm packages. Once installed, it would scan infected hosts for AWS, GCP, Azure, and GitHub credentials before publishing them to users' own GitHub repositories.

Wiz said the latest attacks, possibly launched by separate criminals, operate similarly to the first – scanning infected machines for secrets which the malware then publishes to victims' own repositories.

As of September 24, more than 25,000 repositories had published their own secrets, and 1,000 ...