diff --git a/community/catalog/compromises/2025/nullifAI.md b/community/catalog/compromises/2025/nullifAI.md new file mode 100644 index 000000000..24cf00239 --- /dev/null +++ b/community/catalog/compromises/2025/nullifAI.md @@ -0,0 +1,19 @@ +# nullifAI + +Two malicious pickles were discovered by ReversingLab in February, 2025. +Pickle is a commonly and popularly used to serialize and deserialize ML model data, supported in platforms such as Hugging Face. +The malware contained a reverse shell that connected to a hardcoded IP address. +Note, that even broken Pickle files could execute malicious code on a developer system. + +## Impact + +* HuggingFace removed the malicious models within 24 hours of disclosure. +* The Picklescan tool was improved to identify threats in “broken” Pickle files. + +## Type of Compromise + +The attack leveraged the trust of models available in Hugging face. Hence, is a leveraged **Trust and Signing**. + +## References + +* [ReversingLabs](https://www.reversinglabs.com/blog/rl-identifies-malware-ml-model-hosted-on-hugging-face) diff --git a/community/catalog/compromises/2025/qix.md b/community/catalog/compromises/2025/qix.md new file mode 100644 index 000000000..cbc3f8365 --- /dev/null +++ b/community/catalog/compromises/2025/qix.md @@ -0,0 +1,22 @@ +# npm phishing campaign + +In September 2025, an npm maintainer (Qix) was compromised by a phishing email `support [at] npmjs [dot] help` (created three days before the attack). +The adversaries uploaded malicious code to 18 npm packages maintained by the developer, with more than 2 billion downloads per week. +The malware injects itself within the browser, watches for cryptocurrency wallets transfers, rewrites destinations to attacker controlled addresses, hijacks the transactions, and remains stealthy. + +## Impact + +* The compromised versions of the packages were removed within the same day. +* Although the packages compromised were quite popular, the economic impact of the attack was not severe. Only $500 was stolen as of September 9th. +* The attack may have inspired similar campaigns in other package managers such as [crates.io](https://blog.rust-lang.org/2025/09/12/crates-io-phishing-campaign/) and [PyPi](https://blog.pypi.org/posts/2025-09-23-plenty-of-phish-in-the-sea/). + +## Type of Compromise + +The attack started through **Social Engineering/Phishing Attack**. Then **Attack Chaining** was used to introduce malware within the packages. + +## References + +* [Aikido](https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised) +* [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-59145) +* [Socket](https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack) +* [Arkham](https://info.arkm.com/research/npm-attack-hacker-javascript-supply-chain-500-2025) diff --git a/community/catalog/compromises/2025/shai-hulud.md b/community/catalog/compromises/2025/shai-hulud.md new file mode 100644 index 000000000..0cdf92b47 --- /dev/null +++ b/community/catalog/compromises/2025/shai-hulud.md @@ -0,0 +1,23 @@ +# Shai-Hulud Self-Replicating Worm + +In September 2025, the "Shai-Hulud" self-replicating worm was discovered by Socket. +After gaining initial access to an account, malware scanned for sensitive credentials, which were then exfiltrated. +The credentials were then used to publish a new version of packages that the developers maintained or could access. +Hence, users of the package were then infected and were replicating the malware. +The name of the attack comes from the `shai-hulud.yaml`, a reference to the sandworms in Dune. + +## Impact + +* The compromised npm packages and packages with Indicators of Compromise were removed. +* The US Cybersecurity and Infrastructure Security Agency (CISA) released an alert about the attack. +* npm acted to harden publishing by local publishing with required two-factor authentication (2FA), granular tokens with limited lifetime, and trusted publishing. + +## Type of Compromise + +**Attack Chaining** was used throughout the attack. + +## References + +* [CISA](https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem) +* [GitHub](https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/) +* [Socket](https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages) diff --git a/community/catalog/compromises/README.md b/community/catalog/compromises/README.md index f18356b85..10cd5f2e9 100644 --- a/community/catalog/compromises/README.md +++ b/community/catalog/compromises/README.md @@ -29,6 +29,9 @@ of compromise needs added, please include that as well. | Name | Year | Type of compromise | Link | | ----------------- | ------------------ | ------------------ | ----------- | +| [Shai-Hulud](2025/shai-hulud.md) | 2025 | Attack Chaining | [1](https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem) [2](https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages) | +| [npm phishing campaign](2025/qix.md) | 2025 | Social Engineering/Phishing Attack/Attack Chaining | [1](https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised) | +| [nullifAI](2025/nullifAI.md) | 2025 | Trust and Signing | [1](https://www.reversinglabs.com/blog/rl-identifies-malware-ml-model-hosted-on-hugging-face) | | [Solana Web3.js Code Injection](2024/solana_web3js.md) | 2024 | Social Engineering/Phishing Attack | [1](https://www.reversinglabs.com/blog/malware-found-in-solana-npm-library-with-50m-downloads) [2](https://x.com/0xMert_/status/1864069157257613719) | | [Polyfill.io Infrastructure Takeover Leading to Malware Distribution](2024/polyfill.md) | 2024 | Publishing Infrastructure | [1](https://sansec.io/research/polyfill-supply-chain-attack) | | [Malware Disguised as Installer used to target Korean Public Institution](2024/targeted-signed-endoor.md) | 2024 | Trust and Signing | [1](https://asec.ahnlab.com/en/63396/) |