New Shai-Hulud 3.0 variant discovered, closing out 2025 with a malware bang
A new strain of the Shai-Hulud worm has been discovered by researchers, signaling that the self-propagating supply chain threat – responsible for a surge of attacks compromising NPM packages this fall – remains active and likely to continue impacting devs well into 2026.
-
Shai-Hulud npm worm strikes again as third strain of malware discovered in single package by researchers.
-
Updated techniques help the malware evade detection, adding to its ability to automatically infect additional packages.
-
Threat actors evolving tactics rapidly, experts warn similar attacks could multiply across software supply chains throughout 2026.
The “new and novel” strain of Shai-Hulud was detected embedded in a single npm package (@vietmoney/react-big-calendar), Aikido malware researcher Charlie Eriksen revealed in a blog post Tuesday morning, just 30 minutes after the discovery.
Eriksen, who has diligently published detailed reports on the two previous Shai-Hulud strains, says the malware appears to be an early-stage or testing deployment, rather than a live attack wave.
“At this time, there does NOT seem to be any major spread or infections. This suggests we may have caught the attackers testing their payload,” Eriksen said.
Still, the security researcher says, although the new variant is “highly unlikely to be a copy-cat,” it was clearly created by a threat actor with “access to the original source code for the worm.”
“The differences in the code suggest that this was obfuscated again from original source, not modified in place,” Eriksen notes.
Ever-evolving Shai-Hulud campaign
Initially depicted by Aikido in August as an S1ngularity campaign targeting several nx packages on npm, the first wave of Shai-Hulud attacks began on September 16th, followed by a fresh round of Shai-Hulud 2.0 attacks dubbed the “Second Coming” on November 24th.
Unlike traditional malicious packages, Shai-Hulud embeds itself directly into developer workflows, exposing the fragile software supply chain ecosystem. Its goal: harvesting sensitive credentials from developer environments.
Once installed, the malware executes during package installation, scans developer machines and CI/CD environments for secrets, publishes stolen credentials to public GitHub repositories, and then uses those credentials to compromise additional npm packages.
The original Shai-Hulud attack, allegedly contained on September 24th, compromised over 500 widely used npm packages and tens of thousands of GitHub repositories, prompting GitHub (which owns the Node Package Manager (NPM) for JavaScript, plus its npm registry and npm CLI) to enforce stricter authentication for publishing packages.
Taking advantage of the gap between disclosure of the worm and IT teams scrambling to migrate to trusted publishing, “the attacker seized the moment for one more hit before NPM’s deadline,” Eriksen had said about the second wave of attacks.
Bug identified in 3.0 variant
The new version of Shai-Hulud introduces a reorganized file structure, with renamed installer and payload components.
In addition, the malware now uses a new GitHub repository description when leaking data, replacing earlier identifiers – a likely attempt to evade detection methods based on known strings.
Furthermore, five new leaked file names suggest continued targeting of environment variables, cloud credentials, GitHub Actions secrets, and publishing tokens.
In addition to the several changes listed above, the threat actor also “made a bug in their code” in what appears to be an attempt to change a file name, thereby preventing the malware from functioning as intended.
According to Eriksen, the malware is supposed to retrieve the file “c0nt3nts.json,” but instead, it actually saves the file under a new name "c9nt3nts.json."
Researchers also observed:
- Removal of a previously seen “dead man switch”
- Improved error handling during TruffleHog time outs
- Version-dependent package publishing, now working on Windows
- Change in the order secret data is collected and saved
Foreshadows future attacks
Shai-Hulud isn’t gone, but the Aikido research emphasizes that the early detection of the potential third strain will likely prevent further testing or spread – at least for now.
Patrick Munch, CSO at Mondoo, a vulnerability management firm, believes that not only is this specific payload potentially extremely damaging, but it also foreshadows future similar attacks.
Munch agrees that even though the 3.0 variant has not yet begun to propagate, the latest strain indicates the operators were likely caught testing a new payload.
"Shai-Hulud 3.0 is an indiscriminate ‘fire and forget’ weapon with no way of calling off the attack. Its rapid evolution is a stark reminder that the software supply chain remains a primary target for threat actors,” Munch explains.
Those threats and previous onslaughts have triggered warnings from the US Cybersecurity and Infrastructure Security Agency (CISA) and multiple security firms, including Mondoo, which has published its own detailed analysis.
"Attacking the core of the software supply chain gives attackers a broad scope to harvest credentials and cause chaos. We expect to see a rise in similar high-impact attacks across multiple software development ecosystems," Munch said.
Out of caution, previous recommendations include reviewing whether affected packages were installed and rotating any credentials present in impacted environments.
Developers had also been advised to monitor GitHub for repositories using the new description string, restrict npm install lifecycle scripts where possible, and enforce multi-factor authentication and scoped tokens for publishing workflows.
"This is a developing story. Stay tuned," Eriksen says.
Unlock more exclusive Cybernews content on YouTube.
