Just checked back on the Sha1-Hulud virus/worm. FINALLY npm appears free of obviously infected packages.

I still however am seeing infected machines posting their private data publicly on GitHub.

Not only that, I can see infected developer's github repos are being defaced in realtime.

These microsoft owned platforms seem to be really struggling with stopping this worm.

Query for defaced repos 👇🏿

https://github.com/search?q=api.airforce&type=repositories&s=updated&o=desc

#NPM #microsoft #github #Sha1Hulud #WalkWithoutRhythm #cybersecurity

Just finished writing another tool, now I can see NINE known compromised packages are still up for download on NPM! ⚠️

This tool crawls the list of known bad packages and downloads the latest bundle.

It then runs my other checks against the downloaded bundle and logs the results.

https://github.com/datapartyjs/walk-without-rhythm

#WalkWithoutRhythm #Sha1Hulud #NPM #GitHub #Microsoft #nodejs #javascript #cybersecurity #devlog #bash

Updated my listing of Sha1-Hulud detection tools.

I now have found at least 12 other tools for detecting Sha1-Hulud compromise on your dev box and in infrastructure.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#similar-sha1-hulud-112425-detection-tools

#WalkWithoutRhythm #Sha1Hulud #npm #github #nodejs #javascript #cybersecurity #devops

And to be clear this is NOT an all clear just yet. Why?

1. There remain known malicious packages STILL available for download on NPM (and I can see evidence of active downloads)

https://partyon.xyz/@nullagent/115607663085751105

2. Infected computers and servers are STILL posting stolen PII to public githubs for the world to see. GitHub has just gotten a tad faster at taking them down.

https://partyon.xyz/@nullagent/115607844583101135

So this is a smoldering fire still and we need to stay vigilant.

#Sha1Hulud #WalkWithoutRhythm

I spent more time searching for other Sha1-Hulud detection tools and found four more bringing it to 6 scanners (5 in nodejs).

Linked them all from my readme in case those work better for you.

Best way to beat a worm like this is to keep scanning and keep an eye out for the attacker to try and evade all of our tools.

By using more than one hopefully we make the attackers job harder to evade all of us.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#similar-tools

#Sha1Hulud #WalkWithoutRhythm #nodejs #npm #github #microsoft

Just finished landing Exit Code support. So now if more scanners are made or one of the projects gets more features you can quickly switch to whichever makes the most sense for your use case!

I literally lost a ton of sleep on this volunteer incident response work so I'm going to go touch grass for a bit.

More hacks later tonight, still got some loose ends gnawing at me lol.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#how-to-use

#nodejs #npm #javascript #Sha1Hulud #WalkWithoutRhythm #Sha1HuludScanner #cybersecurity

The fork of the CrowdStrike scanner introduced me to a really good idea, I should support the same exit code design so that our tools can work in tandem.

Maybe we detect different things or maybe one vs the other works in your environment.

So I made an issue to track this support:

https://github.com/datapartyjs/walk-without-rhythm/issues/18

#CrowdStrike #Sha1HuludScanner #WalkWithoutRhythm #cybersecurity #npm #nodejs

Making my morning rounds and I can see thath there are STILL infected packages that were already detected by cybersecurity analyst available on NPM this morning.

So I'm taking the time to go and personally message teams that haven't taken down their hacked packages.

Tracking that work with these two issues. I'm both manually spot checking the list and working on a script to automate that check. Moar PRs soon . . .

https://github.com/datapartyjs/walk-without-rhythm/issues/13

https://github.com/datapartyjs/walk-without-rhythm/issues/12

#ShaiHulud #WalkWithoutRhythm

If time is money and helping the community is good, then this almost completely broke and emotionally damaged open source nerd would dearly appreciate some donations so I can stay focused on helping untangle this worm.

Was planning to spend this week on a mad dash to get my latest apps shipped by turkey day(to you know, make money) but instead I'm doing worm mitigation 😭

https://ko-fi.com/nullagent
https://ko-fi.com/dataparty

#cybersecurity #incidentresponse #ShalHulud #WalkWithoutRhythm

Woot ok now that I have the dependency graph crawled I can just ship the listing of known bad NPM packages and just compare directly against that.

I updated the scanning script to alert if you have -any- version of an infected package.

You're gonna want to be very careful if you're not infected but have one of these dependencies present.

https://github.com/datapartyjs/walk-without-rhythm/blob/main/data/infected-pkgs-versions.txt

#ShalHulud #WalkWithoutRhythm #npm #github #javascript #cybersecurity #threatresponse