【CyCraft Monthly Intelligence】The Return of Shai Hulud: Analyzing New Variants of npm Supply Chain Attacks

‍

Threat and Impact

On December 28, 2025, the Aikido Security team detected a new variant of the Shai Hulud variant uploaded to the npm package @vietmoney/react-big-calendar. This marks the third similar incident within six months. This series of persistent attacks highlights the continuous evolution of supply chain threats and their significant impact on the software ecosystem.

‍

Analyst Perspective

The detection of this new Shai Hulud variant is a critical milestone in the ongoing battle against supply chain attacks. It serves as a stark reminder for defenders to implement robust security practices, including regular audits, secure coding standards, and rigorous monitoring of third-party dependencies. By staying informed and proactive, the cybersecurity community can more effectively defend against ever-changing cyber threats.

‍

Incident Description

The new variant exhibits several innovative changes in its code and behavior. The primary target was the @vietmoney/react-big-calendar package, which was tampered with to include a malicious payload. Upon installation, the bun_installer.js script executes automatically, followed by environment_source.js, which contains the core malicious logic.

Industry Impact

This incident has profound implications across various sectors, particularly those heavily reliant on open-source libraries and package managers. The successful deployment of a worm through a popular npm package underscores the vital importance of supply chain security measures. Organizations utilizing this package or similar components may be exposed to risks of unauthorized access and data breaches, potentially leading to the compromise of sensitive information.

‍Specific Changes

• File Name and Structure:
  
  • The initial execution file is now named bun_installer.js (previously different).
  • The primary payload is now referred to as environment_source.js.
  • New filenames have been introduced, including 3nvir0nm3nt.json, cl0vd.json, c9nt3nts.json, pigS3cr3ts.json, and actionsSecrets.json.
• GitHub Repository Description:
  
  • The new variant uses a different description for exfiltrated repositories, changing from "Sha1-Hulud: The Second Coming" to "Goldox-T3chs: Only Happy Girl".
• Error Handling and Dead Man Switch:
  
  • A coding error exists: the malware attempts to fetch c0nt3nts.json from GitHub but saves it locally as c9nt3nts.json.
  • The Dead Man Switch (a self-destruct mechanism triggered when remote resources are inaccessible) present in earlier versions appears to have been removed.
• Code Modifications:
  
  • The code has undergone obfuscation to masquerade as unmodified code derived from the original source.
  • Specific changes were made to the sequence of data collection and storage; for example, 3nvir0nm3nt.json is stored first, while environment.json is saved last.

Security Insights

The shifts in the malware’s file structure and behavior represent an increase in attacker sophistication. While the filename mismatch and the removal of the dead man switch suggest operational errors, the new naming conventions and descriptions indicate a deliberate attempt to evade detection and maintain persistence. These tactics emphasize the critical need for continuous monitoring and the constant updating of security measures.

‍

Technical Details

The new Shai Hulud variant has been detected within the @vietmoney/react-big-calendar npm package, exhibiting key structural and behavioral shifts compared to previous versions. At the core of this incident is the attacker’s deliberate use of code obfuscation and modification to evade detection and maintain persistence.

Initial Access

Initial access was achieved through the distribution of the @vietmoney/react-big-calendar npm package, which contained malicious bun_installer.js and environment_source.js files.

Execution

The bun_installer.js script triggers automatically during the package installation process, subsequently executing the environment_source.js payload. This script leverages the Bun runtime environment to run the primary payload, scanning and accessing sensitive information on the local system.

Defense Evasion

The malware employs obfuscation, new file naming conventions, and structural changes to bypass signature-based detection designed for older versions.

Credential Access

The malware acquires critical credentials by scanning the local system for API tokens, cloud credentials, and CI secrets, which are later exfiltrated to attacker-controlled infrastructure.

Discovery

The malware performs discovery by scanning the local system for sensitive information, including environment variables, cloud provider credentials, and tokens for platforms like npm and GitHub.

Collection

The malware scans the local system and aggregates exfiltrated data into the following files:

• 3nvir0nm3nt.json
• cl0vd.json
• c9nt3nts.json
• pigS3cr3ts.json
• actionsSecrets.json

Exfiltration

The malware writes sensitive information to the disk before transmitting it to infrastructure under the attacker's control.

Conclusion

The discovery of this new Shai Hulud variant in the @vietmoney/react-big-calendar npm package demonstrates highly sophisticated malware distribution and exfiltration techniques. The use of obfuscation and the modification of previous error-handling mechanisms are key indicators of the attacker's intent to maintain long-term access while evading detection. Understanding these technical details is vital for developing effective mitigation strategies and hardening systemic security.

‍

Mitigation

Given the nature of the Shai Hulud incident, we recommend that organizations adopt the following mitigation strategies to strengthen security postures, enhance monitoring capabilities, and ensure the robustness of software development lifecycles.

Enhanced Code Review and Security Testing

Implement a rigorous Code Review process to identify and remediate vulnerabilities early. Regular security testing—including Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST)—can detect code obfuscation or other malicious patterns. Tools such as SonarQube, CodeQL, and Veracode should be integrated into the development pipeline to automate these checks.

Continuous Monitoring and Threat Detection

Leverage advanced threat detection tools and continuous monitoring systems to identify suspicious activity in real time. We recommend using solutions like Splunk, ELK Stack, and Cortex XDR to monitor logs, network traffic, and system events for anomalies. Implementing machine learning models can further enhance the detection of sophisticated threats.

Secure Software Development Lifecycle (Secure SDLC)

Adopt a Secure SDLC framework ensures security is baked into the development process. Key measures include:

• Secure Coding Standards: Training developers on secure coding practices and industry best practices.
• Patch Management: Ensuring all dependencies are up to date and regularly patched.
• Automated Testing: Incorporating automated security testing into the CI/CD pipeline.

Access Control and the Principle of Least Privilege (PoLP)

Implement strict access control policies and adhering to the Principle of Least Privilege can limit the blast radius of an attack:

• Role-Based Access Control (RBAC): Assigning roles based on the minimum level of access required to perform a task.
• Multi-Factor Authentication (MFA): Enforcing MFA across all critical systems and accounts.

Encryption and Data Protection

Utilize encryption to safeguard sensitive data against unauthorized access and exfiltration:

• End-to-End Encryption (E2EE): Encrypting all sensitive communications.
• Data at Rest Encryption: Encrypting stored data to prevent theft or exposure.

Incident Response Plan (IRP)

Develop and maintain an Incident Response Plan to enable quick and effective action during a security event. The plan should include:

• Detection and Notification: Mechanisms to detect incidents and alert relevant stakeholders.
• Containment and Eradication: Steps to contain the threat and remove malware.
• Recovery and Lessons Learned: Plans to restore systems and processes, while utilizing insights to improve future defenses.

Third-Party Risk Management (TPRM)

Assess and manage risks associated with third-party vendors and partners:

• Vendor Risk Assessment: Regularly evaluating the security posture of third-party providers.
• Contractual Obligations: Incorporating specific security requirements into vendor contracts.

Automated Deployment and Continuous Integration

Implement automated deployment and continuous integration to ensure all changes are tested and validated prior to deployment:

• CI/CD Pipelines: Using pipelines to automate testing and deployment workflows.
• Automated Deployment Scripts: Scripting the deployment process to minimize manual errors.

Regular Audits and Penetration Testing

Conducting periodic audits and penetration tests helps identify and resolve underlying vulnerabilities:

• Internal Audits: Performing internal assessments to evaluate the overall security state.
• Penetration Testing: Executing regular penetration tests to simulate real-world attacks.

‍

Reference

• Shai-Hulud 3.0: npm Supply Chain Worm Reappears With Enhanced Obfuscation
• Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised
• Health-ISAC warns of rising cyber threats targeting healthcare sector, urges bolstering defenses
• Shai-Hulud Worm Targets NPM Ecosystem, Stealing Secrets from 180+ Packages
• NPM attack incident response