If time is money and helping the community is good, then this almost completely broke and emotionally damaged open source nerd would dearly appreciate some donations so I can stay focused on helping untangle this worm.

Was planning to spend this week on a mad dash to get my latest apps shipped by turkey day(to you know, make money) but instead I'm doing worm mitigation 😭

https://ko-fi.com/nullagent
https://ko-fi.com/dataparty

#cybersecurity #incidentresponse #ShalHulud #WalkWithoutRhythm

What's the big deal with this worming supply chain attack?

Well it seems that the attackers may have forced GitHub and NPM into inaction.

The worm is designed to take revenge on infected users if too many of the infected packages are taken off NPM or if GitHub takes down the stolen user data.

So in the mean time that means us developers and users will need to stop and remove the infection as quickly as possible ourselves to protect your systems.

https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/

#GitLab #ShalHulud

Woot ok now that I have the dependency graph crawled I can just ship the listing of known bad NPM packages and just compare directly against that.

I updated the scanning script to alert if you have -any- version of an infected package.

You're gonna want to be very careful if you're not infected but have one of these dependencies present.

https://github.com/datapartyjs/walk-without-rhythm/blob/main/data/infected-pkgs-versions.txt

#ShalHulud #WalkWithoutRhythm #npm #github #javascript #cybersecurity #threatresponse

At the end of scanning for obvious compromise the `check-projects` script then builds a listing of all of your dependencies and all of the versions your project files mention.

You can find that info under `reports/`

I'm currently working on improving the `check-projects` script so that it will alert you if ANY of your package.json or package-lock.json mentions a known infected package.

#ShalHulud #WalkWithoutRhythm #npm #github #javascript #cybersecurity #threatresponse

First pass is super simple and just looks for the file names & package.json signature for signs of infection anywhere in the path you tell it to search.

If it sees anything fishy it tells you where and stops until you've read the alert.

Oh and this only uses bash, sed, awk, grep, curl, and jq. So no npm, node or other big supply chains 🥴

https://github.com/datapartyjs/walk-without-rhythm/blob/main/check-projects

#ShalHulud #WalkWithoutRhythm #nodejs #npm #github #javascript