- Daruruwan fakitin npm sun lalace ta hanyar tsutsa mai kwafin kanta mai suna Shai-Hulud, tare da GitHub ta cire nau'ikan gurbatattun 500+.
- malware ɗin yana satar sirri (alamu na npm, GitHub PATs, maɓallan girgije) kuma suna sake buga fakitin da suka kamu da cutar ta amfani da haƙƙoƙin wallafe-wallafen waɗanda abin ya shafa.
- Shaida tana nuni ga Linux da macOS niyya, zagin TruffleHog, da aikin GitHub Actions wanda ke haɓaka bayanai.
- Matakan kai tsaye: jujjuya alamomi, dogaro na duba da GitHub repos, tilasta MFA/2FA, da farautar IoCs gami da bundle.js da zirga-zirgar yanar gizo.
Abin da ya fara a matsayin wani abin tsoro na sarkar wadata a cikin duniyar JavaScript ya ƙaru zuwa wani babban lamari da ya shafi yanayin npm. Rahotanni daga maɓuɓɓuka da yawa sun tabbatar da wani nau'in malware mai yada kansa, Shai-Hulud, wanda ke lalata bayanan mai haɓakawa, fallasa lamba, da sake buga fakitin da suka lalace don ci gaba da kamuwa da cuta.
Yayin da kirga ya bambanta da tushe, yarjejeniya a bayyane take: muna mu'amala da su daruruwan fitar guba, gami da ɗakin karatu da ake amfani da shi da yawa ana sauke sau miliyoyi a mako. GitHub ya cire nau'ikan nau'ikan daidaitawa sama da 500 don dakile yaduwar, kuma ƙungiyoyin tsaro a duk duniya suna kira ga masu haɓakawa da su juya takaddun shaida kuma su toshe wuraren ajiyar su da bututun su don alamun kutsawa.
Abin da ya faru da kuma dalilin da ya sa yake da muhimmanci
Bincike ya nuna cewa da alama an fara gudanar da aikin sahihancin-girbi yana lalatar da npm, Nudging masu kula zuwa "sabuntawa" saitunan MFA. Tare da samun dama a hannu, ɗan wasan barazanar ya tura tsutsa da ke gudana bayan shigar, farautar sirri, da sake buga gine-ginen da suka kamu da cutar a ƙarƙashin shaidar wanda aka azabtar — suna mai da amintattun masu kula da su su zama masu haɓaka harin.
Shai-Hulud ya haɗa ra'ayoyi guda biyu masu haɗari: watsawa ta atomatik da satar sirri. Yana cin zarafin alamun npm da aka sata don buga sabbin nau'ikan fakiti kuma yana ba da damar alamun GitHub da maɓallan gajimare (AWS, GCP, Azure) don matsar da kai tsaye da fitar da bayanai. Wannan haɗe-haɗe yana ƙara cajin radius ɗin fashewa, yana barin ɗaya yin sulhu tsakanin masu amfani da ƙasa marasa adadi.
Maƙasudai sun bayyana karkata zuwa ga tsarin Unix-kamar. Analysis ya lura cewa mafi malicious dabaru yana aiwatarwa akan Linux da macOS, dangane da binciken muhalli, kodayake lokacin gano sirri-musamman tare da TruffleHog) na iya faruwa sosai. Wannan mayar da hankali ya takaita sawun tsutsa amma duk da haka ya bar na'urorin haɓaka da yawa fallasa.
An yi tasiri ga fakiti daga manyan ƙungiyoyi da yawa tare da shahararrun samfuran al'umma. A cikin wani babban misali, da @ctrl/tinycolor kunshin-wanda aka zazzage miliyoyin lokuta mako-mako-an jawo shi cikin ɓangarorin, yana nuna yadda zurfin kamuwa da cuta zai iya shiga cikin jadawalin dogaro.
Yadda tsutsa ke aiki (rushewar fasaha)
Mahimmin nauyin kaya yana jigilar kaya azaman babban fayil ɗin JavaScript, wanda akafi suna bugu.js (fiye da 3 MB a cikin samfuran da aka lura). Yana aiwatarwa ta hanyar ƙugiya ta postinstall da aka ƙara zuwa package.json, wanda ke nufin lambar ɓarna tana gudana ta atomatik bayan mai amfani ya shigar da kunshin daga npm.
Ciki na bundle.js sune kayan aiki don GitHub API hulɗar, girgije SDKs (AWS/GCP), masu taimakawa hanyar sadarwar, da kuma abubuwan yau da kullun don gudanar da TruffleHog don gano asirin. Rubutun ya ƙirƙira OS, yana gano alamar npm, kuma yana bincika ingantacciyar alamar GitHub; idan ba a samu ba, sai ta yi beli-in ba haka ba ta fara fitar da ruwa da kwafi.
Wani abin lura: wasu fakitin da suka kamu da cutar sun ƙunshi rumbun adana bayanai mai suna kunshin.tar maimakon al'adar suna na yau da kullun, ba da labari wanda ya taimaka wa masu bincike su nuna alamun da ba su dace ba. Masu sharhi sun kuma lura da bambance-bambancen da aka aiwatar azaman ƙugiya da aka riga aka shigar; wata shari'ar farko da aka kawo ita ce ngx-bootstrap 18.1.4, wanda ƙila ya zama farkon bakin teku a cikin yaɗuwar.
Da zarar yana gudana, malware ɗin yana ƙididdige fakitin masu haɓakawa da aka fi sauke ta API ɗin npm, yana kwance kwalta kowace kwalta, ya sauke bundle.js, yana alluran umarnin shigarwa, ya ci karo da sigar, kuma ya sake bugawa zuwa npm tare da alamar wanda aka azabtar. Wannan yana juya fayil ɗin mai haɓakawa zuwa abin hawa don ƙarin cututtuka.
Exfiltration na asirin da GitHub ayyukan aiki
Don girbin sahihanci, Shai-Hulud yana duba alamun npm, GitHub Alamun Samun Keɓaɓɓen, da maɓallan API na girgije (AWS, GCP, Azure). Sannan ta ƙirƙiri wani ma'aikacin GitHub na jama'a mai suna 'Shai‑ Hulud' a ƙarƙashin asusun wanda aka azabtar, yana aikata fayil ɗin bayanai (misali, data.json) tare da sirrin da aka sace—yana fallasa su ga duniya yadda ya kamata.
A cikin layi daya, masu bincike sun lura da kusurwar GitHub Actions na dabara: tsutsa ya kirkiro reshe mai suna 'shai-hulud' a cikin ma'ajin da ake iya samun dama kuma yana tura fayil ɗin tafiyar aiki (shai-hulud-workflow.yml). Ƙaddamar da turawa, aikin yana tattara sirri da jigilar su zuwa kayan aikin kai hari, wani lokacin bayan biyu Base64 encoding don ɓata abun ciki a cikin wucewa.
Akwai kuma shaidar rubutun ƙaura cewa clones masu zaman kansu / na cikin gida daga ƙungiyoyi waɗanda abin ya shafa za su iya shiga, sake shigar da su a cikin asusun mai amfani azaman madubin jama'a. Manufar sata ta atomatik ce daga ayyuka masu zaman kansu, ƙara matsa lamba akan ƙungiyoyin da abin ya shafa.
Rahotanni da yawa sun lura da kayan tarihi na taimakon AI a cikin rubutun bash (sharuɗɗa har ma da emojis), suna nuna mai yiwuwa maharin ya yi amfani da LLM don hanzarta ci gaba na kayan aikin atomatik na malware.
Iyaka da sanannen fakiti
A cikin abubuwan da aka haɗa tare, GitHub an cire 500+ comprosed versions don karya yaduwar tsutsa. Yayin da ainihin jimlar ke ci gaba da haɓakawa, jeri ɗin ya ƙunshi mahalli da orgs da yawa, tare da tasirin ƙasa ga masu haɓakawa waɗanda suka sabunta yayin taga mai aiki.
Daga cikin fakitin da aka ambata akai-akai da wuraren suna: @ctrl/tinycolor (miliyoyin zazzagewar mako-mako), da yawa @crowdstrike/* abubuwan da aka gyara (kamar ƙaddamarwa da ɗakunan karatu na UI), da ɗimbin tsarin al'umma gami da ngx-bootstrap, ng2-fayil-zuwa, ngx-toaster, da sauransu. CrowdStrike ya nuna cewa ainihin dandalin sa bai shafe shi ba kuma hakan an juya maɓallai da sauri bayan gano shigarwar qeta a cikin rajistar jama'a.
- Misalai masu ɗaure da igiyar ruwa: @ctrl/tinycolor; @crowdstrike/commitlint; @crowdstrike/foundry‑js; @crowdstrike/glide-core; ngx- bootstrap; ng2-fayil- upload; ngx-toaster; @nativescript‑ al'umma/*; @teselagen/*; @abu - masana'anta/*; da sauransu.
- Masu bincike kuma sun gani iri-iri na qeta kowane fakiti a wasu lokuta-wataƙila saboda tsutsa da ke yaduwa ta asusun masu kula da da yawa a cikin wannan aikin.
Amsar dandamali da canje-canjen tsaro
Ayyukan GitHub na nan take sun haɗa tsaftace sanannun fakitin mara kyau daga npm da toshe abubuwan da suka dace da Ma'anar Yin sulhu (IoCs). Har ila yau, kamfanin yana fitar da tsauraran matakan wallafe-wallafe: 2FA na wajibi don wallafe-wallafen gida, gajeriyar alamomin ƙonawa (misali, kwanaki bakwai), da kuma babban tallafi na Amintaccen Bugawa don rage dogaro ga sirrin rayuwa mai tsawo.
Canje-canje masu zuwa za su lalata alamun gargajiya na gado da 2FA na tushen TOTP don bugawa, tsoho don hana buga alama, da faɗaɗa masu samarwa don Amintattun Bugawa. GitHub ya ba da siginar zazzagewa a hankali tare da takardu da jagororin ƙaura, sanin cewa wasu ayyukan aiki zasu buƙaci daidaitawa.
Ƙungiyoyin amsawar intel da abubuwan da suka faru a cikin masana'antar (ciki har da Unit 42, Kaspersky, Trend Micro, da sauransu) suna da bayar da jagora da ganowa yayin raba IoCs tare da takwarorina da ƙawance don haɓaka sabuntawar kariya.
Yadda za a rage haɗari a yanzu
Matsar da sauri ƙarƙashin zaton cewa duk wani injin haɓakawa da ya shigar da fakitin npm kwanan nan na iya tona asirin. fifiko shine ya ƙunshi zagi, daina dagewa, da kuma kawar da gurbatattun dogara daga gina sarƙoƙi.
- Juya alamun npm, GitHub PATs/SSH maɓallan, da takaddun shaida na girgije (AWS/GCP/Azure) nan da nan; yi la'akari da duk sirrin da ke kan ma'aikatan masu haɓakawa da aka yi sulhu.
- Binciken abubuwan dogaro ta hanyar pack-lock.json/yarn.lock; cire ko cirewa daga sanannun nau'ikan da aka lalata; sake shigarwa daga tushe masu tsabta.
- Ƙaddamar da MFA/2FA a fadin GitHub da npm; matsa zuwa Amintaccen Bugawa inda zai yiwu a yanke alamun dogon-rai daga madauki.
- Bincika GitHub don wuraren ajiyar jama'a da ba zato ba tsammani mai suna 'Shai-Hulud', rassan da ba a san su ba ko tafiyar aiki, da ayyukan da ba su da kyau.
- Harden CI/CD tare da mafi ƙarancin gata RBAC, sa hannu/tabbataccen kayan tarihi, da ci gaba da sikanin SCA; bi da Amfani da tushen buɗe ido azaman haɗarin sarrafawa.
Nasihun farauta na barazanar (tabbatattun sigina)
Nemo hanyoyin haɗin waje zuwa webhook.site yankuna, musamman URI da aka lura a cikin rahotanni da yawa. A kan ƙarshen, bincika kasancewar bugu.js a cikin kundayen adireshi na wucin gadi ko kunshin kuma don fayil ɗin Ayyukan GitHub mai suna shai-hulud-workflow.yml.
- Na'urar sadarwa ta hanyar sadarwa: rajistan ayyukan DNS/URL masu dauke da webhook.site; tuta takamaiman hanyar bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 idan an gani.
- Fayil telemetry: ƙirƙira ko aiwatar da bundle.js; kasancewar shai-hulud-workflow.yml akan Linux/MacOS runduna masu haɓakawa.
- Tsarin na'urorin sadarwa: Kiran TruffleHog inda ba'a tsammanin (bayanin kula da ingantaccen amfani na iya kasancewa a wasu orgs).
Manufofin sasantawa (IoCs)
Bayanan fayil da kirtani da aka gani a cikin binciken sun haɗa da bugu.js da kuma shai-hulud-workflow.yml, tare da ainihin kirtani 'shai-hulud' yana bayyana a cikin rassa, wuraren ajiya, da ayyukan aiki.
- Fayiloli: bundle.js; shai-hulud-workflow.yml
- Zauren: shai-hulud; kunshin.tar
- Hashes (selected): 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09; b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777; dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c; 4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db; C96FBBE010DD4C5BFB801780856EC228; 78E701F42B76CCDE3F2678E548886860
- Cibiyar sadarwa: https://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 (bambance-bambancen da ƙananan hanyoyi)
Tsarin lokaci da bincike mai gudana
Rahotanni sun danganta gano farkon zuwa tsakiyar Satumba 2025, tare da kololuwar ayyukan tsarewa a kusa da Satumba 16-19. GitHub da dillalai da yawa sun sabunta kariya, ganowa, da jagora. Yi tsammanin ƙarin bincike mai ma'ana yayin da ƙungiyoyi suka gama nazarin abubuwan da suka faru da kuma faɗaɗa jerin abubuwan da abin ya shafa.
Wasu shaidu sun nuna cewa lamarin ya faru an gina shi akan leaks ɗin sirri na farko, yana nuna tsawon lokacin da alamun da aka adana da kuma bayanan da aka adana zasu iya haifar da sabon raƙuman sulhu na watanni bayan haka. Wannan ya kamata ya ƙarfafa ƙoƙarce-ƙoƙarce don gajarta abubuwan rayuwa da ɗaukar samfuran wallafe-wallafe waɗanda rage girman asirce.
Ba kowane rahoto ya yarda da ainihin jimlar jimlar ko fakitin sarka na farko ba, amma hoto na gaba ɗaya ya daidaita: a tsutsa npm mai kwafi wanda ya ba da amana ga mai haɓaka makami da haƙƙin wallafe-wallafen da ke sarrafa kai zuwa girman sauri-sauri fiye da ƙungiyoyi da yawa za su iya ganowa ta hanyar bita na hannu kaɗai.
Lamarin ya nuna yadda saurin gina bututun zamani ke iya juyewa zuwa manyan hanyoyi don malware. By ƙara tabbatarwa, Cire alamun dogon lokaci daga hanya, taurara CI/CD, da farautar IoCs, ƙungiyoyi na iya ƙunsar fallasa a yau kuma suna sa igiyar gaba ta fi ƙarfin aiwatarwa.
