Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Shai-Hulud 2.0 NPM malware self-propagation and destructive payload

Malware Activity
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

The Shai-Hulud 2.0 malware spread through the NPM registry again last week, infecting hundreds of packages and expanding the risk of secret theft and destructive cleanup. The activity matters because it combined self-propagation, package republishing, and a payload that could wipe a home directory under certain conditions.

Related Happenings

Malware-Slop malicious npm file-theft campaign

Campaign
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers

Malware Activity
First: 18.05.2026 11:57 Last: 18.05.2026 11:57 Sources 1

About this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...

Open Happening

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

Timeline

  1. 02.12.2025 21:06 2 articles · 5mo ago

    Shai-Hulud 2.0 NPM malware exposure of 400,000 secrets

    Initial Disclosure

    Wiz said Shai-Hulud 2.0 infected over 800 NPM package versions, published stolen data in 30,000 GitHub repositories, and exposed around 400,000 raw secrets; the leak still included hundreds of valid secrets, with more than 60% of leaked NPM tokens still valid as of December 1st, and the malware used TruffleHog without the `-only-verified` flag while also including a destructive payload that could wipe a victim’s home directory under certain conditions.

    Show sources
    Open in new tab