- Amakhulu amaphakheji we-npm afakwa engozini isibungu esiziphindaphindayo esibizwa ngokuthi u-Shai-Hulud, i-GitHub isusa izinguqulo ezingu-500+ ezingcolile.
- Uhlelo olungayilungele ikhompuyutha luntshontsha izimfihlo (amathokheni we-npm, ama-GitHub PATs, okhiye befu) futhi kushicilela kabusha amaphakheji anamagciwane kusetshenziswa amalungelo okushicilela ezisulu.
- Ubufakazi bukhomba ku-Linux ne-macOS eqondiwe, ukuhlukunyezwa kwe-TruffleHog, kanye nokugeleza komsebenzi kwe-GitHub Actions okukhipha idatha.
- Izinyathelo ezisheshayo: zungezisa amathokheni, ukuncika kocwaningo kanye ne-GitHub repos, sebenzisa i-MFA/2FA, futhi uzingele ama-IoC afaka i-bundle.js kanye nethrafikhi ye-webhook.site.
Okuqale njengokunye ukwethusa kwe-supply-chain emhlabeni we-JavaScript kukhule kwaba isigameko esikhulu esithinta i-npm ecosystem. Imibiko kuyo yonke imithombo eminingi iqinisekisa uhlobo oluzisakazayo lohlelo olungayilungele ikhompuyutha, ilandelwa njengo-Shai-Hulud, ebeka engcupheni izifakazelo zonjiniyela, edalula ikhodi, futhi ishicilele kabusha amaphakheji angcolile ukuze kugcinwe ukutheleleka kuqhubeka.
Nakuba izibalo zihluka ngomthombo, ukuvumelana kucacile: sibhekene amakhulukhulu okukhishwa okunoshevu, okuhlanganisa nomtapo wolwazi osetshenziswa kabanzi olandwe izikhathi eziyizigidi ngesonto. I-GitHub isuse izinguqulo ezisengozini ezingaphezu kuka-500 ukuze kunqandwe ukusabalala, futhi amaqembu okuvikela emhlabeni wonke anxusa onjiniyela ukuthi bashintshanise imininingwane futhi bahlanganise izindawo zabo zokuhlala namapayipi ukuze bathole izinkomba zokungena.
Kwenzekeni nokuthi kungani kubalulekile
Uphenyo lukhomba ukuthi kungenzeka ukuthi umsebenzi waqala ngawo izicupho zokuvuna eziqinisekisayo ziyaphambanisa npm, egudluza abalondolozi ukuze "babuyekeze" izilungiselelo ze-MFA. Ngokufinyelela esandleni, umlingisi osongelayo uthumele isibungu esigijima ngemuva kokufakwa, esizingela izimfihlo, futhi siphinde sishicilele izakhiwo ezithelelekile ngaphansi kobunikazi bomuntu ohlukunyeziwe-eguqula abalondolozi abathembekile baba izikhulisali zokuhlasela.
U-Shai‑Hulud uhlanganisa imibono emibili eyingozi: ukusakaza okuzenzakalelayo kanye nokweba okuyimfihlo. Ihlukumeza amathokheni e-npm antshontshiwe ukushicilela izinguqulo ezintsha zamaphakeji futhi isebenzise amathokheni e-GitHub nokhiye befu (AWS, GCP, Azure) ukuze ihambise eceleni futhi ikhiphe idatha. Lokhu kubhanqa kushaja kakhulu irediyasi yokuqhuma, okuvumela ukuphazanyiswa okukodwa kubasebenzisi abaningi abangaphansi komfula.
Okuqondiwe kubonakala kutshekele kumasistimu afana ne-Unix. Ukuhlaziya kuphawula ukuthi iningi logic enonya isetshenziswa ku-Linux naku-macOS, ngokusekelwe ekuhlolweni kwemvelo, nakuba isigaba sokutholwa kwezimfihlo (ikakhulukazi nge-TruffleHog) singenzeka ngokubanzi. Lokho kugxila kunciphise indawo yesikelemu kodwa kwashiya uhla olubanzi lwemishini yonjiniyela obala.
Amaphakheji avela ezinhlanganweni ezimbalwa eziphawulekayo athintwa kanye namamojula omphakathi adumile. Kwesinye isibonelo sephrofayili ephezulu, i- @ctrl/tinycolor iphakethe - elandwe izigidi zezikhathi ngesonto - ladonswa kulo mbango, okukhombisa ukuthi ukutheleleka kungangena kujule kangakanani kugrafu yokuncika.
Indlela isibungu esisebenza ngayo (ukuhlukana kobuchwepheshe)
I-payload eyinhloko ithunyelwa njengefayela le-JavaScript elisindayo, elivame ukuqanjwa bundle.js (ngaphezu kuka-3 MB kumasampuli aqashiwe). Isebenzisa ngehhuku yokufaka okuthunyelwe yengezwe ku-package.json, okusho ukuthi ikhodi enonya isebenza ngokuzenzakalelayo ngemva kokuba umsebenzisi efake iphakheji kusukela ku-npm.
Ngaphakathi kwe-bundle.js kukhona amamojula we Ukusebenzisana kwe-GitHub API, ama-SDK wamafu (AWS/GCP), abasizi benethiwekhi, kanye nezinqubo zokuqalisa i-TruffleHog ukuze kutholwe okuyimfihlo. Uhlu lweskripthi lufaka i-OS, luthola ithokheni ye-npm, futhi luhlole ithokheni evumelekile ye-GitHub; uma ingatholakali, ikhipha ibheyili—ngaphandle kwalokho iqala ukucwiliswa kanye nokuphindaphinda.
I-quirk ephawulekayo: amanye amaphakheji anegciwane aqukethe ingobo yomlando eqanjwe igama iphakheji.tar esikhundleni somhlangano ojwayelekile wokuqamba amagama, ukutshela okusize abacwaningi bahlabe umkhosi ama-artifacts asengozini. Abahlaziyi baphinde babona okuhlukile okwenziwa njengehhuku yokufaka ngaphambili; elinye icala lokuqala elicashunwe kwaba ngx-bootstrap 18.1.4, okungenzeka ukuthi yasebenza njengenhloko yolwandle yokuqala ekusakazeni.
Uma isiqalile ukusebenza, uhlelo olungayilungele ikhompuyutha lubala amaphakheji alandwe kakhulu kanjiniyela nge-npm search API, iqaqa i-tarball ngayinye, yehlisa i-bundle.js, ifaka umyalo wokufaka okuthunyelwe, ishayisa inguqulo, futhi iphinde ishicilele ku-npm ngethokheni yesisulu. Lokhu kuguqula iphothifoliyo yonjiniyela ibe yimoto yokutheleleka okwengeziwe.
Ukukhishwa kwezimfihlo kanye nokugeleza komsebenzi kwe-GitHub
Ukuze uthole iziqinisekiso zokuvuna, u-Shai‑Hulud uskena amathokheni e-npm, amathokheni e-GitHub Personal Access, kanye okhiye be-cloud API (AWS, GCP, Azure). Ibese idala i-repo ye-GitHub esesidlangalaleni ebizwa ngokuthi 'Shai‑Hulud' ngaphansi kwe-akhawunti yesisulu, yenze ifayela ledatha (isb, idatha.json) elinezimfihlo ezintshontshiwe—ukuzidalula ngempumelelo emhlabeni.
Ngokuhambisanayo, abacwaningi babone i-engeli ye-GitHub Actions enobuqili: isibungu idala igatsha eliqanjwe 'shai‑hulud' kuwo wonke amaqoqo afinyelelekayo futhi iphusha ifayela lokugeleza komsebenzi (shai‑hulud‑workflow.yml). Kucushwe ekuphusheni, ukuhamba komsebenzi kuqoqa izimfihlo futhi kuzithumele kungqalasizinda yabahlaseli, kwesinye isikhathi ngemva kwalokho kabili i-Base64 encoding ukufiphaza okuqukethwe kwezokuthutha.
Kukhona nobufakazi bombhalo wokufuduka lokho ama-clones ama-repo ayimfihlo/angaphakathi kusukela ezinhlanganweni isisulu esingafinyelela kuzo, sizibambe kabusha ku-akhawunti yomsebenzisi njengezibuko zomphakathi. Umgomo ubonakala uwukwebiwa kwekhodi yomthombo okuzenzakalelayo kumaphrojekthi angasese, okwandisa ingcindezi ezinhlanganweni ezithintekayo.
Imibiko eminingi iphawula ama-artifacts osizo lwe-AI ngaphakathi kweskripthi se-bash (amazwana ngisho nama-emojis), okuphakamisa ukuthi umhlaseli kungenzeka ukuthi usebenzise LLM ukusheshisa intuthuko yezingxenye ezizenzakalelayo zohlelo olungayilungele ikhompuyutha.
Ububanzi namaphakheji aphawulekayo
Kukho konke ukwehliswa okuqondisiwe, i-GitHub isusiwe 500+ izinguqulo ezibekwe engcupheni ukwephula ukusabalala komswenya. Nakuba isamba esiqondile siqhubeka nokuvela, uhlu luhlanganisa i-ecosystem nama-orgs amaningi, okunomthelela ongezansi konjiniyela ababuyekeze ngesikhathi sewindi elisebenzayo.
Phakathi kwamaphakheji avame ukucashunwa nezikhala zamagama: @ctrl/tinycolor (izigidi zokulandwa kwamasonto onke), eziningi @crowdstrike/* izingxenye (ezifana namalabhulali e-commitlint kanye ne-UI), kanye nohlu olubanzi lwamamojula omphakathi okuhlanganisa ngx-bootstrap, ng2‑file-upload, ngx-toastr, futhi nokuningi. I-CrowdStrike ibonise ukuthi inkundla yayo eyinhloko ihlale ingathintekile nokuthi okhiye bazungeziswa ngokushesha ngemva kokuthola okufakiwe okunonya endaweni yokubhalisa yomphakathi.
- Izibonelo eziboshelwe kugagasi: @ctrl/tinycolor; @crowdstrike/commitlint; @crowdstrike/foundry‑js; @crowdstrike/glide‑core; ngx‑bootstrap; ng2‑file-upload; ngx-toastr; @nativescript‑community/*; @teselagen/*; @izinto‑factory/*; nabanye.
- Abacwaningi nabo babona izinguqulo eziningi ezinonya ngephakheji ngayinye kwezinye izimo-mhlawumbe ngenxa yesikelemu esisabalala ngama-akhawunti amaningana abanakekeli ngaphakathi kwephrojekthi efanayo.
Impendulo yenkundla nezinguquko zokuphepha
Izenzo ezisheshayo ze-GitHub zifakiwe ukuhlanza amaphakheji amabi aziwayo kusuka ku-npm futhi ivimbe ukulayisha okufanayo Izinkomba Ze-Compromise (IoCs). Inkampani futhi ikhipha izilawuli zokushicilela eziqinile: i-2FA eyisibopho yokushicilela kwendawo, amathokheni ahlala isikhathi esifushane (isb., izinsuku eziyisikhombisa), kanye nokwamukelwa kabanzi Ukushicilela Okwethenjwayo ukunciphisa ukuthembela kuzimfihlo eziphile isikhathi eside.
Izinguquko ezizayo zizohoxisa amathokheni akudala kanye ne-TOTP-based 2FA ukuze kushicilelwe, okuzenzakalelayo ukungavumeli ukushicilelwa kwethokheni, futhi wandise abahlinzeki Bokushicilela Okuthenjwayo. I-GitHub isayine ukukhishwa kancane kancane ngemibhalo nemihlahlandlela yokufuduka, ibona ukuthi okunye ukugeleza komsebenzi kuzodinga ukulungiswa.
Amaqembu ahlakaniphile nasabelayo ezigamekweni embonini yonkana (okubandakanya i-Unit 42, Kaspersky, Trend Micro, namanye) isiqondiso esikhishiwe kanye nokutholwa ngenkathi yabelana ngama-IoC nontanga nemifelandawonye ukuze kusheshiswe izibuyekezo zokuvikela.
Indlela yokunciphisa ingozi njengamanje
Hambisa ngokushesha ngaphansi kokucatshangwa ukuthi noma yimuphi umshini wonjiniyela ofake amaphakheji we-npm muva nje kungenzeka ukuthi uputshuke izimfihlo. Okuhamba phambili wukuthi ziqukethe ukuxhashazwa kwemininingwane, yeka ukuphikelela, futhi ususe ukuncika okungcolile kumaketanga okwakha.
- Zungezisa amathokheni e-npm, okhiye be-GitHub PATs/SSH, kanye nemininingwane yefu (AWS/GCP/Azure) ngokushesha; cabangela zonke izimfihlo ezikhona kubasingathi bonjiniyela ezifakwe engcupheni.
- Ukuncika kocwaningo nge-package-lock.json/yarn.lock; susa noma phinisela kude nezinguqulo ezaziwayo; faka kabusha emithonjeni ehlanzekile.
- Sebenzisa i-MFA/2FA kuyo yonke i-GitHub kanye ne-npm; hambisa ku-Trusted Publishing lapho kungenzeka khona ukuze usike amathokheni aphile isikhathi eside aphume ku-loop.
- Hlaziya i-GitHub ukuze uthole izindawo zokuhlala ezingalindelekile zomphakathi ezibizwa ngokuthi 'Shai‑Hulud', amagatsha angajwayelekile noma ukugeleza komsebenzi, kanye nezenzo ezingavamile ezisebenzayo.
- Qinisa i-CI/CD ene-RBAC enelungelo elincane, ukusayinda/ukuqinisekiswa kwe-artifact, nokuskena kwe-SCA okuqhubekayo; phatha ukusetshenziswa komthombo ovulekile njengengozi ephethwe.
Amathiphu okuzingela okusongelayo (ukuhlolwa kwesignali ephezulu)
Bheka ukuxhumana okuphumayo ku webhook.site ezizindeni, ikakhulukazi i-URI ebonwe emibikweni eminingi. Kumaphoyinti okugcina, sesha ubukhona be bundle.js kunkhombandlela yesikhashana noma yephakheji kanye nefayela le-GitHub Actions eliqanjwe igama shai‑hulud‑workflow.yml.
- I-telemetry yenethiwekhi: amalogi e-DNS/URL aqukethe i-webhook.site; maka indlela ethile ethi bb8ca5f6-4175-45d2‑b042‑fc9ebb8170b7 uma ibonwa.
- I-telemetry yefayela: ukudalwa noma ukusetshenziswa kwe-bundle.js; ubukhona be-shai‑hulud‑workflow.yml kubasingathi bonjiniyela be-Linux/macOS.
- Inqubo ye-telemetry: Izicelo ze-TruffleHog lapho kungalindelekile (qaphela ukusetshenziswa okusemthethweni kungase kube khona kwezinye izinhlangano).
Izinkomba zokuvumelana (IoCs)
Izinkomba zefayela neyunithi yezinhlamvu ezibonwa kulo lonke uphenyo zihlanganisa bundle.js futhi shai‑hulud‑workflow.yml, neyunithi yezinhlamvu ezingokoqobo ethi 'shai‑hulud' evela emagatsheni, kuma-repo, nasekugelezeni komsebenzi.
- Amafayela: bundle.js; shai‑hulud‑workflow.yml
- Izintambo: shai‑hulud; iphakheji.tar
- Hashes (selected): 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09; b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777; dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c; 4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db; C96FBBE010DD4C5BFB801780856EC228; 78E701F42B76CCDE3F2678E548886860
- Inethiwekhi: https://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 (okuhlukile nezindlela ezincane eziboniwe)
Umugqa wesikhathi nokuhlaziya okuqhubekayo
Imibiko ikhomba ukutholwa kokuqala maphakathi no-Septhemba 2025, nge izenzo zokuvimbela eziphezulu cishe ngoSepthemba 16-19. I-GitHub nabathengisi abaningi kusukela ngaleso sikhathi babuyekeze ukuvikela, ukutholwa, neziqondiso. Lindela okunye okutholakele okubuyisela emuva njengoba izinhlangano ziqeda ukubuyekezwa kwezigameko futhi zandise uhlu lwezinguqulo ezithintekile.
Obunye ubufakazi buveza ukuthi isigameko yakhelwe ekuvuzeni okuyimfihlo kwangaphambilini, kugcizelela ukuthi amathokheni aphile isikhathi eside kangakanani kanye nemininingwane efakwe kunqolobane kungabhebhethekisa amagagasi amasha okonakala ezinyangeni kamuva. Lokhu kufanele kuqinise imizamo yokunciphisa isikhathi sokuphila kwamathokheni futhi kwamukele amamodeli okushicilela lawo nciphisa ukusakazeka okuyimfihlo.
Akuwona wonke umbiko ovumelana ngamathothali aqondile noma amaphakheji okuqala e-chain, kodwa isithombe esijwayelekile siyaqondana: a ukuziphindaphinda kwe-npm worm okuhlomise ukuthenjwa konjiniyela kanye namalungelo okushicilela okuzenzakalelayo ukuze akhule ngokushesha—ngokushesha kunalokho amaqembu amaningi angawathola ngokubuyekeza mathupha kuphela.
Umcimbi ubonisa ukuthi amapayipi okwakha esimanje angashintsha kanjani abe imigwaqo emikhulu yohlelo olungayilungele ikhompuyutha. Ngu ukuqinisa ubuqiniso, ukususa amathokheni aphile isikhathi eside endleleni, ukwenza lukhuni i-CI/CD, nokuzingela ngobudlova ama-IoC, izinhlangano zingaqukatha ukuchayeka namuhla futhi zenze igagasi elilandelayo libe nzima kakhulu ukulisebenzisa.
