Supply chain attacks are all the rage nowadays, but detecting that you’ve had your credentials swiped by one is a lot of work because they are stealthy. They might have run once in your CI or a on a developer’s laptop, and you won’t know until you’re suddenly the one who is unwittingly pushing the next version of shai-hulud on all the open source repositories you maintain.
Alternatively maybe the incident-report tells you that after you got ransomed.
AWS canary-tokens as shai-hulud detectors
Luckily there is an easy and free solution to this. Deploy AWS canarytokens on all your build systems and developer laptops.
What are canarytokens?
They are a kind of honeypot-tokens which the nice people over at thinkst provides for free on canarytokens.org.
What are honeypot-tokens?
A honeypot, in information security, is a lure which imitates something valuable but when interacted with will alert defenders.
Today a token is a piece of AI compute but in this context they are used to mean a piece of information with some kind of value to an attacker.
How can I get my free shai-hulud detector token?
Easy. Go to canarytokens.org, create an AWS token. Important detail, don’t be shy with the description. I mean it. Definitely do not write “test 123” and then deploy it. If you do you will be very upset with yourself if you get an alert in two months, and you have no idea where it triggered from. Ask me how I know (not an AWS token but a word doc…).
This will give you this
[default]
aws_access_key_id = AKIAUE4EELJI2R6G527L
aws_secret_access_key = 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
output = json
region = us-east-2
Take this and put it in ~/.aws/credentials, in the ENV or wherever you store secrets. For detecting shai-hulud variants putting it in the file is enough.
Then wait. Hopefully it will never trigger but if it does then you know you have some work to do.
Also put this into your CI systems.
Demo
So to show how this works in practice, I did a little demo. I created a sandbox where I inserted this canarytoken and then I ran npm install on my neutered-hulud which emulates the credential stealing and testing part of the shai-hulud style npm worms.
Then you will get this in your email.
An additional bonus here is that this will not only catch worms, it will catch anyone who is snooping around. It will also immediately alert you if you accidentally make the repository public.
Limitations
This relies on the fact that the worm will test the key. All the ones who has been in the news recently will do it but if that changes and they just silently exfiltrate the keys you won’t know before someone actually tries to test it at a later point.