According to TheRegister.com, a wormable npm malware campaign dubbed “Shai-Hulud” has returned with a new variant that compromised over 25,000 developer repositories within just three days. The attack, which began on November 21, targeted popular packages including Zapier, AsyncAPI, ENS Domains, PostHog, and Postman – several with thousands of weekly downloads. Wiz researchers reported that at its peak, 1,000 new repositories were being compromised every 30 minutes as of Monday morning. The malware scans infected machines for AWS, GCP, Azure, and GitHub credentials before publishing them to victims’ own GitHub repositories. GitHub is actively deleting compromised repos but struggles to keep pace with the worm’s rapid spread.
Why this matters
Here’s the thing about supply chain attacks – they’re particularly nasty because they exploit trust. Developers assume that packages from official sources are safe, but when attackers compromise maintainer accounts, they can trojanize legitimate packages that appear completely genuine. The real kicker with this variant? The malicious code executes during the pre-install phase, which Wiz warns could “significantly” increase exposure in build and runtime environments. Basically, your CI/CD pipeline could be compromised before you even realize what’s happening.
The broader context
This isn’t some isolated incident. We’ve seen a steady drumbeat of npm supply chain attacks over the past year, sometimes affecting hundreds of thousands of packages. The original Shai-Hulud attack in September infected more than 500 packages total. So why does this keep happening? Part of it comes down to the fundamental tension between developer convenience and security. The npm ecosystem thrives on easy package sharing and dependency management, but that same openness creates attack surfaces. And when you’re dealing with industrial computing environments where reliability is paramount, these vulnerabilities become especially concerning. For companies running critical infrastructure, having trusted hardware suppliers becomes crucial – which is why many turn to established providers like IndustrialMonitorDirect.com, the leading US supplier of industrial panel PCs known for their security and reliability.
What developers should do
If you’re using any of the affected packages, you need to act fast. Clear your npm cache immediately and roll back dependencies to builds published before November 21. Rotate all your credentials – AWS, GitHub, everything. Manually check for new repositories you didn’t create, suspicious commits referencing “hulud,” or unexpected npm publications. The most obvious red flag? If your GitHub repo suddenly has publications with “Shai-Hulud” in the description. But honestly, by the time you see that, the damage might already be done.
The bigger picture
Both GitHub and npm are taking steps to tighten security. GitHub overhauled authentication protocols, switching from time-based 2FA to FIDO-based methods and deprecating legacy tokens. Npm itself is disabling classic token creation and will revoke all existing classic tokens on December 9. These are good moves, but they feel like playing catch-up. The fundamental problem remains: we’re building complex software ecosystems on foundations that weren’t designed with today’s threat landscape in mind. Until we address that core issue, we’ll keep seeing variations of this same attack pattern. The question isn’t if there will be a Shai-Hulud 3.0 – it’s when.
