ADVERTISEMENT

New Shai-Hulud 3.0 variant discovered, closing out 2025 with a malware bang

A new strain of the Shai-Hulud worm has been discovered by researchers, signaling that the self-propagating supply chain threat – responsible for a surge of attacks compromising NPM packages this fall – remains active and likely to continue impacting devs well into 2026.

npm logo breaking the number 2025
Stefanie Schappert
Stefanie Schappert Senior Journalist
Dec 30, 2025 Updated: 31 December 2025 3 min read
Key takeaways:

Ever-evolving Shai-Hulud campaign

npm package compromise
Image by Cybernews.

Bug identified in 3.0 variant

ADVERTISEMENT
Shai-Hulud 3.0 strain
Shai-Hulud 3.0 strain. (R to L) New file names, new GitHub repository description, new file name bug. Images by Aikido.
  • Removal of a previously seen “dead man switch”
  • Improved error handling during TruffleHog time outs
  • Version-dependent package publishing, now working on Windows
  • Change in the order secret data is collected and saved

Foreshadows future attacks

Jurgita Lapienyte justinasv Izabele Pukenaite vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Add us as your Preferred Source on Google.
Shai-Hulud attack  The Second Coming
Shai-Hulud attack: The Second Coming. Images by Aikido.

ADVERTISEMENT