Skip to content

npm Worm Shai-Hulud: Attack of the Clones

(Image: Imilian/Shutterstock.com). The malware authors behind the npm worm Shai-Hulud have published the source code. Now the first clones are appearing. This is a special open-source project: The masterminds behind the cybercriminal group TeamPCP have published the source code of the npm worm Shai-Hulud on GitHub. In the underground forum BreachForums, they have also organized a competition and called on other criminals to get started with the code. In a blog post, IT researchers [1] from Mondoo write that just a few days later, the first clones appeared on npm. A lone attacker, for example, uploaded four malicious packages at once – an almost identical copy of Shai-Hulud with its own command-and-control infrastructure and three typosquatting variants of “Axios”. They contain botnet malicious functions that integrate infected systems into a DDoS network. The target is programmers with fat fingers, explain the IT researchers. The number of weekly downloads is currently around 2,600, which is indeed little for npm packages. A few more copies are listed by OXsecurity [2]. A flood of npm worm packages is to be expected, as many interested parties can now build on the source code. Current Shai-Hulud supply chain attack. This is also consistent with Microsoft’s Threat Intelligence investigating an emerging mini-Shai-Hulud supply chain attack, as the group explains on Bluesky [3]. The attackers are targeting “antv” – they managed to compromise a project maintainer’s account and published infected versions of widely used packages, such as “antv/g2”. These packages are used widely as dependencies. The compromised packages propagated themselves in libraries such as “echarts-for-react”, affecting a large range of apps and build systems. The malicious code is also used here to search for and exfiltrate credentials. Coveted targets are personal GitHub access tokens, OpenID tokens, Amazon AWS access credentials and security tokens, SSH keys, Kube configurations, or other Software-as-a-Service tokens, writes Microsoft. However, Microsoft does not mention a connection to the Shai-Hulud open-source code. npm Worm Shai-Hulud. The npm worm Shai-Hulud targets software developers. In so-called supply chain attacks, the malicious code is embedded in npm packages that programmers integrate into their projects. To do this, malware authors typically rely on name similarities to popular packages or typosquatting variants of the names of genuine packages. Once the malicious npm packages are integrated, the malicious code runs as well. Shai-Hulud 2 stole more than 27,000 credentials last November [4]. This allows the attackers to abuse costly resources from cloud providers, conduct espionage, and infect further packages. (dmk [6]). URL of this article:. https://www.heise.de/-11299094. Links in this article:. https://mondoo.com/de/blog/shai-hulud-clones-arrive-when-worm-source-code-goes-open-source. https://www.ox.security/blog/new-actors-deploy-shai-hulud-clones-teampcp-copycats-are-here/. https://bsky.app/profile/threatintel.microsoft.com/post/3mm6v564n5s23. https://www.heise.de/news/Shai-Hulud-2-Neue-Version-des-NPM-Wurms-greift-auch-Low-Code-Plattformen-an-11089607.html. https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp. mailto:dmk@heise.de. Copyright © 2026 Heise Medien

heise security News

Share on: