Overview
- Wiz says roughly 400,000 raw secrets were published across 30,000 GitHub repositories tied to the latest wave, and over 60% of exposed NPM tokens were still valid as of December 1.
- The second attack affected more than 800 infected package versions in the NPM registry and self-propagated by harvesting credentials with TruffleHog and auto-publishing tainted releases.
- Analysis shows 99% of infections executed on the preinstall event using node setup_bun.js, with workflow files often added to GitHub Actions to serialize and exfiltrate credentials.
- Two packages—@postman/tunnel-agent@0.6.7 and @asyncapi/specs@6.8.3—accounted for over 60% of observed infections, highlighting how a few components drove most spread.
- CISA advises immediate rotation of credentials, auditing dependencies, enabling MFA, and pinning known-safe versions, as the malware also includes a fallback that can wipe a user's home directory.