https://www.wiz.io/blog/shai-hulud-2-0-aftermath-ongoing-supply-chain-attack
Security researchers have uncovered a widespread malware campaign targeting the popular npm package repository. Dubbed “Shai Hulud 2.0,” the attack is estimated to have exposed up to 400,000 developer secrets, including API keys, database credentials, and other sensitive information.
The malware, which was discovered by the Checkmarx security team, was designed to infiltrate various open-source projects by hijacking the build process and injecting malicious code into the final package. Once installed, the malware would harvest and exfiltrate any sensitive information found on the affected systems, posing a significant risk to developers and the organizations they serve.
The scale and sophistication of the attack highlights the ongoing challenge of securing the software supply chain. Developers should review their dependencies, implement robust security measures, and remain vigilant for similar threats in the future.