GitLab discovers widespread NPM supply chain attack

Summary

GitLab's Vulnerability Research team has identified an active, large-scale supply chain attack involving a destructive malware variant spreading through the npm ecosystem. Our internal monitoring system has uncovered multiple infected packages containing what appears to be an evolved version of the "Shai-Hulud" malware. Early analysis shows worm-like propagation behavior that automatically infects additional packages maintained by impacted developers. Most critically, we've discovered the malware contains a "dead man's switch" mechanism that threatens to destroy user data if its propagation and exfiltration channels are severed. We verified that GitLab was not using any of the malicious packages and are sharing our findings to help the broader security community respond effectively. Inside the attack Our internal monitoring system, which scans open-source package registries for malicious packages, has identified multiple npm packages infected with sophisticated malware that: Harvests credentials from GitHub, npm, AWS, GCP, and Azure Exfiltrates stolen data to attacker-controlled GitHub repositories Propagates by automatically infecting other packages owned by victims Contains a destructive payload that triggers if the malware loses access to its infrastructure While we've confirmed several infected packages, the worm-like propagation mechanism means many more packages are likely compromised. The investigation is ongoing as we work to understand the full scope of this campaign. Technical analysis: How the attack unfolds Initial infection vector The malware infiltrates systems through a carefully crafted multi-stage loading process. Infected packages contain a modified package.json with a preinstall script pointing to setup_bun.js. This loader script appears innocuous, claiming to install the Bun JavaScript runtime, which is a legitimate tool. However, its true purpose is to establish the malware's execution environment. // This file gets added to victim's packages as...