Skip to content
arrow-alt-circle-up icon

Cyber Incident?

arrow-alt-circle-up icon

Call 00800 1744 0000

arrow-alt-circle-up icon

Dutch follows English

 

On June 17 2025, Citrix published an advisory regarding two vulnerabilities [1]. Two critical vulnerabilities in NetScaler ADC and NetScaler Gateway appliances allow attackers to gain unauthorized access to certain parts of the system and lead to an Out-of-bounds Read. We previously emailed you about these vulnerabilities and the advice to apply the patch quickly. Since then, these vulnerabilities have been abused at scale both by nation-state actors and by other actors. If you did not patch in time, you can assume your devices have been compromised and you should act accordingly.

 

Description 

On June 17, Citrix published on the vulnerabilities in their products and made patches available. As early as June 20, a threat actor that is presumably a Chinese nation-state actor started exploiting the vulnerability in a targeted way [2]. On July 4, a public proof-of-concept exploit was published, that enabled everybody to develop exploits and scanners. Since then, numerous actors have exploited the vulnerability, and threat intel providers have used this exploitation to retro-actively spot exploitation prior to July 4, resulting in the intelligence on Chinese actors.

Impact 

The impact of this vulnerability is high: it allows attackers to obtain valid session tokens and hijack existing sessions, or setup new sessions with the privileges of the users associated with the stolen tokens. Exploitation is not trivial but not too hard either.

Risk 

If you did not patch your vulnerable Netscalers prior to July 4, you should assume they have been compromised. If you did not patch your vulnerable Netscalers prior to June 20 and you are potentially of interest to Chinese nation state actors, you should investigate under the assumption of compromise.
 

Mitigation 

Follow the patching advice previously described in our TR [3].

What should you do? 

If you have not patched your vulnerable Netscaler devices yet, we recommend taking them offline directly and investigating compromise of the devices and the IT they give access to. The likelihood of compromise is high at this point, and attackers who gain access through these Netscaler devices will most likely have access to systems behind that for some time now.

If you patched after June 20, we recommend that you investigate your logs for signs of compromise using published indicators [4]. Additionally, you can search for a mismatch between the IP address that started a user session and the IP address from which user sessions were used. This mismatch is an indication of a session being hijacked by an attacker.

If you spot anomalies in IP addresses in this way, or if you find signs of compromise using the recommended searches [4], we recommend that you contact our CERT for an investigation into a possible breach.

 

What will Northwave do? 

Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure.  

We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information. 

 
E-mail: soc@northwave-cybersecurity.com
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
 

Disclaimer applies, see below. 

Sources 

[1]: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420  

[2]: https://doublepulsar.com/citrixbleed-2-situation-update-everybody-already-got-owned-503c6d06da9f

[3]: https://northwave-cybersecurity.com/threat-response-critical-vulnerabilities-in-citrix-netscaler-adc-and-netscaler-gateway

[4]: https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71

 

Disclaimer applies, see below. 

Sources 

[1]: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6

[2]: https://advisories.ncsc.nl/advisory?id=NCSC-2025-0204

 

 

On 15 September 2025, several security researchers discovered a self-replicating worm on the npm open-source registry, named ‘Shai-hulud’. Infected versions include a self-propagating mechanism that primarily targets other packages by the same maintainer, focusing on stealing and exfiltrating secrets, credentials, and tokens embedded within those packages.
 
Description
The attack appears to be part of an ongoing malicious supply chain campaign known as the ‘Shai-hulud attack’. The exact start date of the campaign remains unclear. Currently, at least 477 different packages have been confirmed as compromised by the worm.
The npm packages are being compromised through an auto-spreading functionality that adds a postinstall script to the package.json file. This script, named bundle.js, downloads and runs TruffleHog, an open-source tool used to search hosts for tokens and cloud credentials. The script validates and uses developer and CI credentials, creates a GitHub Actions workflow inside repositories, and exfiltrates results to a hardcoded webhook: webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7.
 
Impact
We assess the impact of this attack as high, as multiple well-known and widely used npm packages have been compromised. This has led to the large-scale exfiltration of secrets and tokens from development environments by a threat actor.
 
Risk
The risk level is also considered high, due to the popularity of the affected npm packages and the worm’s active spreading mechanism, which could result in more packages being compromised in the coming days.
 
Mitigation
Please take the following steps to mitigate the risk:
  • Check the lists provided by aikido.dev [1] and socket.dev [2] to verify if any compromised packages are used in your software dependencies.
  • If affected, follow these remediation steps:
    • Immediately block outbound connections to webhook[.]site domains.
    • Audit CI/CD agents and developer machines for the presence of compromised packages.
    • Uninstall compromised packages and pin known-good versions. Do not update npm packages until verified patches are released.
    • Review and remove unnecessary GitHub Apps and OAuth applications.
    • Check deploy keys and repository secrets for all projects.
    • Audit all repository webhooks for unauthorized additions.
    • Reset all tokens, secrets, and credentials, as they should be considered compromised.
    • If developers are also maintainers of npm repositories, monitor logs for unusual npm publish or package modification events.
What Should You Do?
We recommend implementing the above mitigation steps as soon as possible. Please also inform developers and maintainers that npm packages are currently being actively infected. This means that new versions of their dependencies could become compromised in the coming days. We advise monitoring the list provided by aikido.dev [1] and socket.dev [2] to stay updated on newly discovered compromised packages.
Additionally, we recommend implementing regular credential rotation policies and using separate, limited-scope tokens for CI/CD pipelines to minimize potential risk.
 
What Will Northwave Do?
We will continue to monitor developments related to this attack. If new critical information arises, we will contact you. If you would like additional information, please feel free to call us or send an email.
 
E-mail: soc@northwave-cybersecurity.com
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
 
Disclaimer applies, see below.
 
Sources 
 
 

Op 15 september 2025 hebben meerdere beveiligingsonderzoekers een zelf-replicerende worm ontdekt in de open-source npm registry, genaamd ‘Shai-hulud’. De geïnfecteerde versies bevatten een zelfverspreidend mechanisme dat zich voornamelijk richt op andere packages van dezelfde ontwikkelaar, met als doel het stelen en exfiltreren van secrets, credentials en tokens die in deze packages zijn opgenomen.

 

Beschrijving
De aanval lijkt onderdeel te zijn van een lopende kwaadaardige supply chain-campagne, bekend als de ‘Shai-hulud-aanval’. Het exacte begin van de campagne is nog onbekend. Op dit moment zijn er minstens 477 verschillende pakketten bevestigd als geïnfecteerd door de worm.
De npm-packages worden gecompromitteerd via een automatisch verspreidingsmechanisme dat een postinstall script toevoegt aan het package.json bestand. Dit script, genaamd bundle.js, downloadt en voert TruffleHog uit, een open-source tool die tokens en cloud-credentials opspoort. Het script valideert en gebruikt ontwikkelaars- en CI-credentials, creëert een GitHub Actions workflow in repositories, en exfiltreert de resultaten naar een hardcoded webhook: webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7.
 
Impact
Wij schatten de impact van deze aanval als hoog in, aangezien meerdere bekende en veelgebruikte npm-packages actief zijn gecompromitteerd. Dit heeft geleid tot grootschalige exfiltratie van secrets en tokens uit ontwikkelomgevingen door een kwaadwillende actor.
 
Risico
Het risico wordt eveneens als hoog ingeschat, vanwege de populariteit van de getroffen npm-packages en het actieve verspreidingsmechanisme, wat kan leiden tot meer geïnfecteerde packages in de komende dagen.
 
Mitigatie
Neem de volgende stappen om het risico te beperken:
  • Controleer de lijsten van aikido.dev [1] en socket.dev [2] om te verifiëren of er gecompromitteerde packages in je software dependencies worden gebruikt.
  • Indien van toepassing, volg deze stappen:
    • Blokkeer onmiddellijk uitgaande verbindingen naar webhook[.]site domeinen.
    • Voer een audit uit op CI/CD-agents en ontwikkel machines op aanwezigheid van geïnfecteerde packages.
    • Verwijder gecompromitteerde packages en pin bekende veilige versies. Update npm-packages voorlopig niet totdat patches zijn geverifieerd.
    • Verwijder onnodige GitHub Apps en OAuth-applicaties.
    • Controleer deploy keys en repository secrets voor alle projecten.
    • Controleer alle repository-webhooks op ongeautoriseerde toevoegingen.
    • Reset alle tokens, secrets en credentials, aangezien deze als gecompromitteerd moeten worden beschouwd.
    • Als developers ook npm-maintainers zijn, monitor dan logs op ongebruikelijke npm publish - of package modification events.
Wat moet u doen?
Wij raden aan om bovenstaande maatregelen zo snel mogelijk te implementeren. Informeer ook developers en maintainers dat npm-packages momenteel actief worden geïnfecteerd. Dit betekent dat nieuwe versies van hun dependencies in de komende dagen mogelijk ook geïnfecteerd raken. Houd de lijst van aikido.dev [1] en socket.dev [2] in de gaten om op de hoogte te blijven van nieuw ontdekte gecompromitteerde pakketten.
Daarnaast adviseren wij om regelmatig beleid voor het roteren van inloggegevens te implementeren en tokens met beperkte toegang te gebruiken voor CI/CD-pijplijnen om het risico te minimaliseren.
 
Wat doet Northwave?
Wij blijven de ontwikkelingen rondom deze aanval nauwlettend volgen. Als er nieuwe kritieke informatie beschikbaar komt, nemen wij contact met u op. U kunt ons bellen of mailen als u aanvullende informatie wenst.
 
E-mail: soc@northwave-cybersecurity.com
Heeft u nu een incident? Bel ons Incident Response Team: 00800 1744 0000
 
Disclaimer van toepassing, zie hieronder.
 
Bronnen
 

Disclaimer

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We will not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.
 
.