for anyone who might think this is leftover from before, it is in fact a new variant that went out over the weekend and is a bit more dickis with file deletion activity. Here is what I see as the meat:
GitHub is deleting the attacker’s repositories as they emerge, but the threat actor appears to be creating new ones very fast.
On the list of 186 packages that Aikido Security found to be compromised with a new version of the Shai Hulud malware, there are multiple packages from Zapier, ENS Domains, PostHog, and AsyncAPI.
The compromised Zapier packages constitute the official toolkit for building Zapier integrations and are essential for Zapier developers.
The EnsDomains packages are tools and libraries widely used by wallets, DApps, exchanges, and the ENS Manager app, to handle .eth names, resolving them to Ethereum addresses, linking IPFS content, validating names, and interacting with the official ENS smart contracts.
All of the compromised packages are available for download from npm. However, in some cases, the platform displays a warning message about unauthorized publication of the latest version, indicating that the automated review has caught signs of a compromise.
for anyone who might think this is leftover from before, it is in fact a new variant that went out over the weekend and is a bit more dickis with file deletion activity. Here is what I see as the meat:
GitHub is deleting the attacker’s repositories as they emerge, but the threat actor appears to be creating new ones very fast.
On the list of 186 packages that Aikido Security found to be compromised with a new version of the Shai Hulud malware, there are multiple packages from Zapier, ENS Domains, PostHog, and AsyncAPI.
The compromised Zapier packages constitute the official toolkit for building Zapier integrations and are essential for Zapier developers.
The EnsDomains packages are tools and libraries widely used by wallets, DApps, exchanges, and the ENS Manager app, to handle .eth names, resolving them to Ethereum addresses, linking IPFS content, validating names, and interacting with the official ENS smart contracts.
All of the compromised packages are available for download from npm. However, in some cases, the platform displays a warning message about unauthorized publication of the latest version, indicating that the automated review has caught signs of a compromise.