{"id":11004,"date":"2025-09-10T16:25:29","date_gmt":"2025-09-10T22:25:29","guid":{"rendered":"https:\/\/beaconlab.us\/?post_type=publicacion&#038;p=11004"},"modified":"2025-09-16T11:32:00","modified_gmt":"2025-09-16T17:32:00","slug":"alerta-2025-74-secuestro-de-paquetes-de-npm-populares","status":"publish","type":"publicacion","link":"https:\/\/beaconlab.us\/es\/publicacion\/alerta-2025-74-secuestro-de-paquetes-de-npm-populares\/","title":{"rendered":"Alerta 2025-74 Secuestro de Paquetes de NPM populares"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Producto(s) afectado(s):&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NPM de Node.js<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Descripci\u00f3n<\/h2>\n\n\n\n<p>Se ha reportado que delincuentes comprometieron paquetes <strong>NPM populares<\/strong>, con un total de m\u00e1s de <strong>2,000 millones de descargas semanales<\/strong>, en lo que se clasifica como un <strong>ataque a la cadena de suministro (Supply Chain Attack)<\/strong>, denominado <strong>Shai-Hulud<\/strong>. Esta nueva cepa de malware recibe su nombre de los gusanos de arena gigantes de la saga <em>Dune<\/em> de Frank Herbert, ya que publica todas las credenciales robadas en un repositorio p\u00fablico de GitHub que incluye el nombre <em>\u201c<\/em>Shai-Hulud<em>\u201d<\/em>.<\/p>\n\n\n\n<p>NPM es un gestor de librer\u00edas del popular entorno de tiempo de ejecuci\u00f3n de JavaScript llamado Node.js, el cual permite ejecutar c\u00f3digo JavaScript en el servidor, no solo en el navegador.<\/p>\n\n\n\n<p>Los atacantes inyectaron malware en paquetes NPM con m\u00e1s de 2.6 mil millones de descargas semanales despu\u00e9s de comprometer la cuenta de un mantenedor en un ataque de phishing.<\/p>\n\n\n\n<p>Seg\u00fan Aikido Security, que&nbsp;analiz\u00f3 el ataque a la cadena de suministro&nbsp;, los actores de la amenaza actualizaron los paquetes despu\u00e9s de tomar el control, inyectando c\u00f3digo malicioso que act\u00faa como un interceptor basado en navegador en los archivos index.js, capaz de secuestrar el tr\u00e1fico de la red y las API de las aplicaciones.<\/p>\n\n\n\n<p>El malware opera&nbsp;inyect\u00e1ndose en el navegador web&nbsp;y monitoreando las direcciones o transferencias de billeteras de Ethereum, Bitcoin, Solana, Tron, Litecoin y Bitcoin Cash. En las respuestas de la red con transacciones de criptomonedas, reemplaza los destinos con direcciones controladas por el atacante y secuestra las transacciones antes de que se firmen. El c\u00f3digo malicioso logra esto al enganchar funciones de JavaScript como&nbsp;fetch,&nbsp;XMLHttpRequest, y API de billetera (window.ethereum, Solana, etc.).<\/p>\n\n\n\n<p>A continuaci\u00f3n se listan los paquetes que se conocen fueron comprometidos durante el ataque:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>backslash@0.2.1 (0.26m descargas por semana)<\/li>\n\n\n\n<li>chalk-template@1.1.1 (3.9m descargas por semana)<\/li>\n\n\n\n<li>supports-hyperlinks@4.1.1 (19.2m descargas por semana)<\/li>\n\n\n\n<li>has-ansi@6.0.1 (12.1m descargas por semana)<\/li>\n\n\n\n<li>simple-swizzle@0.2.3 (26.26m descargas por semana)<\/li>\n\n\n\n<li>color-string@2.1.1 (27.48m descargas por semana)<\/li>\n\n\n\n<li>error-ex (47.17m descargas por semana)<\/li>\n\n\n\n<li>color-name@2.0.1 (191.71m descargas por semana)<\/li>\n\n\n\n<li>is-arrayish@0.3.3 (73.8m descargas por semana)<\/li>\n\n\n\n<li>slice-ansi@7.1.1 (59.8m descargas por semana)<\/li>\n\n\n\n<li>color-convert@3.1.1 (193.5m descargas por semana)<\/li>\n\n\n\n<li>wrap-ansi@9.0.1 (197.99m descargas por semana)<\/li>\n\n\n\n<li>ansi-regex@6.2.1 (243.64m descargas por semana)<\/li>\n\n\n\n<li>supports-color@10.2.1 (287.1m descargas por semana)<\/li>\n\n\n\n<li>strip-ansi@7.1.1 (261.17m descargas por semana)<\/li>\n\n\n\n<li>chalk@5.6.1 (299.99m descargas por semana)<\/li>\n\n\n\n<li>debug @4.4.2 (357.6m descargas por semana)<\/li>\n\n\n\n<li>ansi-styles@6.2.2 (371.41m descargas por semana)<\/li>\n\n\n\n<li>color@5.0.1<\/li>\n<\/ul>\n\n\n\n<p>Investigadores comentan que hay varias condiciones que se devieron cumplir para que el impacto sea significativo:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Una nueva instalaci\u00f3n entre las 9 a. m. y las 11:30 a. m. (hora del este de EE. UU.), cuando los paquetes se vieron comprometidos<\/li>\n\n\n\n<li>Package-lock.json se cre\u00f3 durante ese tiempo<\/li>\n\n\n\n<li>Paquetes vulnerables en dependencias directas o transitorias<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p>El equipo de <strong>Socket.dev<\/strong> inform\u00f3 que el ataque <strong>Shai-Hulud<\/strong> comprometi\u00f3 brevemente al menos 25 paquetes NPM administrados por <strong>CrowdStrike<\/strong>. Seg\u00fan CrowdStrike, tras detectar los paquetes maliciosos en el registro p\u00fablico de NPM, estos fueron eliminados de inmediato y se procedi\u00f3 a rotar las claves afectadas. <strong>CrowdStrike aclar\u00f3 que dichos paquetes no forman parte del sensor Falcon, por lo que su plataforma no se vio comprometida y los clientes permanecen protegidos.<\/strong> Asi mismo, confirmaron que trabajan en conjunto con NPM y llevan a cabo una investigaci\u00f3n exhaustiva sobre el incidente. A\u00fan no hay informaci\u00f3n oficial desde CrowdStrike al respecto.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Mitigaci\u00f3n:<\/h2>\n\n\n\n<p>Varios de estos paquetes ya fueron actualizados, recomendamos revisar los archivos package.json y package-lock.json para ver en que version se encuentra.<\/p>\n\n\n\n<p>El investigador Kostas T, ha preparado una serie de comandos que le ayudar\u00e1 a buscar si la version de estas librar\u00edes en la comprometida:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Linux \/ MacOS<\/li>\n<\/ul>\n\n\n\n<p>f\ud835\ude2a\ud835\ude2f\ud835\ude25 . -\ud835\ude35\ud835\ude3a\ud835\ude31\ud835\ude26 \ud835\ude27 \\( -\ud835\ude2f\ud835\ude22\ud835\ude2e\ud835\ude26 \u00ab\ud835\ude31\ud835\ude22\ud835\ude24\ud835\ude2c\ud835\ude22\ud835\ude28\ud835\ude26*.\ud835\ude2b\ud835\ude34\ud835\ude30\ud835\ude2f\u00bb \\) -\ud835\ude26\ud835\ude39\ud835\ude26\ud835\ude24 \ud835\ude28\ud835\ude33\ud835\ude26\ud835\ude31 -\ud835\ude0f -\ud835\ude0c &#8216;(\u00ab\ud835\ude22\ud835\ude2f\ud835\ude34\ud835\ude2a-\ud835\ude34\ud835\ude35\ud835\ude3a\ud835\ude2d\ud835\ude26\ud835\ude34\u00bb: \u00ab\\^?6\\.2\\.2|\ud835\ude25\ud835\ude26\ud835\ude23\ud835\ude36\ud835\ude28\u00bb: \u00ab\\^?4\\.4\\.2|\ud835\ude24\ud835\ude29\ud835\ude22\ud835\ude2d\ud835\ude2c\u00bb: \u00ab\\^?5\\.6\\.1|\ud835\ude34\ud835\ude36\ud835\ude31\ud835\ude31\ud835\ude30\ud835\ude33\ud835\ude35\ud835\ude34-\ud835\ude24\ud835\ude30\ud835\ude2d\ud835\ude30\ud835\ude33\u00bb: \u00ab\\^?10\\.2\\.1|\ud835\ude34\ud835\ude35\ud835\ude33\ud835\ude2a\ud835\ude31-\ud835\ude22\ud835\ude2f\ud835\ude34\ud835\ude2a\u00bb: \u00ab\\^?7\\.1\\.1|\ud835\ude22\ud835\ude2f\ud835\ude34\ud835\ude2a-\ud835\ude33\ud835\ude26\ud835\ude28\ud835\ude26\ud835\ude39\u00bb: \u00ab\\^?6\\.2\\.1|\ud835\ude38\ud835\ude33\ud835\ude22\ud835\ude31-\ud835\ude22\ud835\ude2f\ud835\ude34\ud835\ude2a\u00bb: \u00ab\\^?9\\.0\\.1|\ud835\ude24\ud835\ude30\ud835\ude2d\ud835\ude30\ud835\ude33-\ud835\ude24\ud835\ude30\ud835\ude2f\ud835\ude37\ud835\ude26\ud835\ude33\ud835\ude35\u00bb: \u00ab\\^?3\\.1\\.1|\ud835\ude24\ud835\ude30\ud835\ude2d\ud835\ude30\ud835\ude33-\ud835\ude2f\ud835\ude22\ud835\ude2e\ud835\ude26\u00bb: \u00ab\\^?2\\.0\\.1|\ud835\ude2a\ud835\ude34-\ud835\ude22\ud835\ude33\ud835\ude33\ud835\ude22\ud835\ude3a\ud835\ude2a\ud835\ude34\ud835\ude29\u00bb: \u00ab\\^?0\\.3\\.3|\ud835\ude34\ud835\ude2d\ud835\ude2a\ud835\ude24\ud835\ude26-\ud835\ude22\ud835\ude2f\ud835\ude34\ud835\ude2a\u00bb: \u00ab\\^?7\\.1\\.1|\ud835\ude24\ud835\ude30\ud835\ude2d\ud835\ude30\ud835\ude33\u00bb: \u00ab\\^?5\\.0\\.1|\ud835\ude24\ud835\ude30\ud835\ude2d\ud835\ude30\ud835\ude33-\ud835\ude34\ud835\ude35\ud835\ude33\ud835\ude2a\ud835\ude2f\ud835\ude28\u00bb: \u00ab\\^?2\\.1\\.1|\ud835\ude34\ud835\ude2a\ud835\ude2e\ud835\ude31\ud835\ude2d\ud835\ude26-\ud835\ude34\ud835\ude38\ud835\ude2a\ud835\ude3b\ud835\ude3b\ud835\ude2d\ud835\ude26\u00bb: \u00ab\\^?0\\.2\\.3|\ud835\ude34\ud835\ude36\ud835\ude31\ud835\ude31\ud835\ude30\ud835\ude33\ud835\ude35\ud835\ude34-\ud835\ude29\ud835\ude3a\ud835\ude31\ud835\ude26\ud835\ude33\ud835\ude2d\ud835\ude2a\ud835\ude2f\ud835\ude2c\ud835\ude34\u00bb: \u00ab\\^?4\\.1\\.1|\ud835\ude29\ud835\ude22\ud835\ude34-\ud835\ude22\ud835\ude2f\ud835\ude34\ud835\ude2a\u00bb: \u00ab\\^?6\\.0\\.1|\ud835\ude24\ud835\ude29\ud835\ude22\ud835\ude2d\ud835\ude2c-\ud835\ude35\ud835\ude26\ud835\ude2e\ud835\ude31\ud835\ude2d\ud835\ude22\ud835\ude35\ud835\ude26\u00bb: \u00ab\\^?1\\.1\\.1|\ud835\ude23\ud835\ude22\ud835\ude24\ud835\ude2c\ud835\ude34\ud835\ude2d\ud835\ude22\ud835\ude34\ud835\ude29\u00bb: \u00ab\\^?0\\.2\\.1\u00bb)&#8217; {} \\;<br><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Windows<\/li>\n<\/ul>\n\n\n\n<p>\ud835\ude0e\ud835\ude26\ud835\ude35-\ud835\ude0a\ud835\ude29\ud835\ude2a\ud835\ude2d\ud835\ude25\ud835\ude10\ud835\ude35\ud835\ude26\ud835\ude2e -\ud835\ude19\ud835\ude26\ud835\ude24\ud835\ude36\ud835\ude33\ud835\ude34\ud835\ude26 -\ud835\ude10\ud835\ude2f\ud835\ude24\ud835\ude2d\ud835\ude36\ud835\ude25\ud835\ude26 \ud835\ude31\ud835\ude22\ud835\ude24\ud835\ude2c\ud835\ude22\ud835\ude28\ud835\ude26.\ud835\ude2b\ud835\ude34\ud835\ude30\ud835\ude2f, \ud835\ude31\ud835\ude22\ud835\ude24\ud835\ude2c\ud835\ude22\ud835\ude28\ud835\ude26-\ud835\ude2d\ud835\ude30\ud835\ude24\ud835\ude2c.\ud835\ude2b\ud835\ude34\ud835\ude30\ud835\ude2f |<br>&nbsp;\ud835\ude1a\ud835\ude26\ud835\ude2d\ud835\ude26\ud835\ude24\ud835\ude35-\ud835\ude1a\ud835\ude35\ud835\ude33\ud835\ude2a\ud835\ude2f\ud835\ude28 -\ud835\ude17\ud835\ude22\ud835\ude35\ud835\ude35\ud835\ude26\ud835\ude33\ud835\ude2f &#8216;\u00bb(\ud835\ude22\ud835\ude2f\ud835\ude34\ud835\ude2a-\ud835\ude34\ud835\ude35\ud835\ude3a\ud835\ude2d\ud835\ude26\ud835\ude34\u00bb: \u00ab\\^?6\\.2\\.2|\ud835\ude25\ud835\ude26\ud835\ude23\ud835\ude36\ud835\ude28\u00bb: \u00ab\\^?4\\.4\\.2|\ud835\ude24\ud835\ude29\ud835\ude22\ud835\ude2d\ud835\ude2c\u00bb: \u00ab\\^?5\\.6\\.1|\ud835\ude34\ud835\ude36\ud835\ude31\ud835\ude31\ud835\ude30\ud835\ude33\ud835\ude35\ud835\ude34-\ud835\ude24\ud835\ude30\ud835\ude2d\ud835\ude30\ud835\ude33\u00bb: \u00ab\\^?10\\.2\\.1|\ud835\ude34\ud835\ude35\ud835\ude33\ud835\ude2a\ud835\ude31-\ud835\ude22\ud835\ude2f\ud835\ude34\ud835\ude2a\u00bb: \u00ab\\^?7\\.1\\.1|\ud835\ude22\ud835\ude2f\ud835\ude34\ud835\ude2a-\ud835\ude33\ud835\ude26\ud835\ude28\ud835\ude26\ud835\ude39\u00bb: \u00ab\\^?6\\.2\\.1|\ud835\ude38\ud835\ude33\ud835\ude22\ud835\ude31-\ud835\ude22\ud835\ude2f\ud835\ude34\ud835\ude2a\u00bb: \u00ab\\^?9\\.0\\.1|\ud835\ude24\ud835\ude30\ud835\ude2d\ud835\ude30\ud835\ude33-\ud835\ude24\ud835\ude30\ud835\ude2f\ud835\ude37\ud835\ude26\ud835\ude33\ud835\ude35\u00bb: \u00ab\\^?3\\.1\\.1|\ud835\ude24\ud835\ude30\ud835\ude2d\ud835\ude30\ud835\ude33-\ud835\ude2f\ud835\ude22\ud835\ude2e\ud835\ude26\u00bb: \u00ab\\^?2\\.0\\.1|\ud835\ude2a\ud835\ude34-\ud835\ude22\ud835\ude33\ud835\ude33\ud835\ude22\ud835\ude3a\ud835\ude2a\ud835\ude34\ud835\ude29\u00bb: \u00ab\\^?0\\.3\\.3|\ud835\ude34\ud835\ude2d\ud835\ude2a\ud835\ude24\ud835\ude26-\ud835\ude22\ud835\ude2f\ud835\ude34\ud835\ude2a\u00bb: \u00ab\\^?7\\.1\\.1|\ud835\ude24\ud835\ude30\ud835\ude2d\ud835\ude30\ud835\ude33\u00bb: \u00ab\\^?5\\.0\\.1|\ud835\ude24\ud835\ude30\ud835\ude2d\ud835\ude30\ud835\ude33-\ud835\ude34\ud835\ude35\ud835\ude33\ud835\ude2a\ud835\ude2f\ud835\ude28\u00bb: \u00ab\\^?2\\.1\\.1|\ud835\ude34\ud835\ude2a\ud835\ude2e\ud835\ude31\ud835\ude2d\ud835\ude26-\ud835\ude34\ud835\ude38\ud835\ude2a\ud835\ude3b\ud835\ude3b\ud835\ude2d\ud835\ude26\u00bb: \u00ab\\^?0\\.2\\.3|\ud835\ude34\ud835\ude36\ud835\ude31\ud835\ude31\ud835\ude30\ud835\ude33\ud835\ude35\ud835\ude34-\ud835\ude29\ud835\ude3a\ud835\ude31\ud835\ude26\ud835\ude33\ud835\ude2d\ud835\ude2a\ud835\ude2f\ud835\ude2c\ud835\ude34\u00bb: \u00ab\\^?4\\.1\\.1|\ud835\ude29\ud835\ude22\ud835\ude34-\ud835\ude22\ud835\ude2f\ud835\ude34\ud835\ude2a\u00bb: \u00ab\\^?6\\.0\\.1|\ud835\ude24\ud835\ude29\ud835\ude22\ud835\ude2d\ud835\ude2c-\ud835\ude35\ud835\ude26\ud835\ude2e\ud835\ude31\ud835\ude2d\ud835\ude22\ud835\ude35\ud835\ude26\u00bb: \u00ab\\^?1\\.1\\.1|\ud835\ude23\ud835\ude22\ud835\ude24\ud835\ude2c\ud835\ude34\ud835\ude2d\ud835\ude22\ud835\ude34\ud835\ude29\u00bb: \u00ab\\^?0\\.2\\.1\u00bb)&#8217; -\ud835\ude08\ud835\ude2d\ud835\ude2d\ud835\ude14\ud835\ude22\ud835\ude35\ud835\ude24\ud835\ude29\ud835\ude26\ud835\ude34<\/p>\n\n\n\n<p>Si piensa que ha sido afectado, recomendamos realizar un reseteo de contrase\u00f1as y claves API que estuviensen almacenadas en el servidor en cuesti\u00f3n.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Informaci\u00f3n adicional:<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/news.ycombinator.com\/item?id=45169794\">https:\/\/news.ycombinator.com\/item?id=45169794<\/a><\/li>\n\n\n\n<li>https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack\/<\/li>\n<\/ul>\n","protected":false},"featured_media":10590,"template":"","class_list":["post-11004","publicacion","type-publicacion","status-publish","has-post-thumbnail","hentry"],"acf":{"activar_pdf_link":false,"pdf":null,"numero_de_boletin":"74","traffic_light_protocol":"White"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/beaconlab.us\/es\/wp-json\/wp\/v2\/publicacion\/11004","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/beaconlab.us\/es\/wp-json\/wp\/v2\/publicacion"}],"about":[{"href":"https:\/\/beaconlab.us\/es\/wp-json\/wp\/v2\/types\/publicacion"}],"version-history":[{"count":4,"href":"https:\/\/beaconlab.us\/es\/wp-json\/wp\/v2\/publicacion\/11004\/revisions"}],"predecessor-version":[{"id":11016,"href":"https:\/\/beaconlab.us\/es\/wp-json\/wp\/v2\/publicacion\/11004\/revisions\/11016"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/beaconlab.us\/es\/wp-json\/wp\/v2\/media\/10590"}],"wp:attachment":[{"href":"https:\/\/beaconlab.us\/es\/wp-json\/wp\/v2\/media?parent=11004"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}