First Appearance of Shai-Hulud Worm Clones Emerges in Science Fiction Worlds
The Shai-Hulud Worm Resurfaces: New Clones Emerge Following Public Release of Source Code
The Shai-Hulud worm, initially used in supply chain attacks targeting the open-source software ecosystem in September 2025 and again in November of the same year, has resurfaced in recent weeks.
New Clones Emerge After Public Release of Source Code
The malware’s reemergence follows the public release of its source code on GitHub by the TeamPCP hacking group, which had been linked to earlier campaigns involving the Trivy, Bitwarden, Checkmarx, SAP, and TanStack incidents.
A Threat Actor Publishes Infostealer Malware Packages
According to researchers at Ox Security, a threat actor published four npm packages containing infostealer malware, including one that contains the Shai-Hulud code.
“We’re now seeing a single actor with multiple techniques and infostealer types spreading malicious code onto npm,” Ox warns. “This is just the first phase of an upcoming wave of supply chain attacks.”
Malicious Packages Gain Over 10,000 Weekly Downloads
The four packages – ‘axios-util’, ‘axois-utils’, ‘chalk-tempalte’, and ‘color-style-utils’ – have a combined weekly download count of over 10,000.
Researchers Warn of Impending Wave of Supply Chain Attacks
Researchers warn that this is merely the initial phase of an impending wave of supply chain attacks, citing the fact that the source code analysis reveals familiar patterns from previous Shai-Hulud attacks, including the uploading of stolen credentials to a new GitHub repository.
About Author
English