Find notable cyber news and cases, enriched with sources, timelines, and signals.

Shai-Hulud 2.0 NPM malware self-propagation and destructive payload

Malware Activity
First reported
Last updated
Happening score
H score 47
1 unique sources, 1 articles

Summary

Hide ▲

The Shai-Hulud 2.0 malware spread through the NPM registry again last week, infecting hundreds of packages and expanding the risk of secret theft and destructive cleanup. The activity matters because it combined self-propagation, package republishing, and a payload that could wipe a home directory under certain conditions.

Related Happenings

IronWorm npm supply-chain infection and self-propagation

Malware Activity
H score15 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...

Miasma GitHub and npm supply-chain campaign

Campaign
H score26 First: 02.06.2026 00:38 Last: 02.06.2026 00:38 Sources 1

About this happening: The **Miasma** supply-chain campaign has expanded into **npm** and the **Go ecosystem**, with **malicious npm releases** affecting **LeoPlatform** and **RStreams** packages and a...

Latest development: 05.06.2026 21:05

A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.

Malware-Slop malicious npm file-theft campaign

Campaign
H score39 First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: **Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers

Malware Activity
H score22 First: 18.05.2026 11:57 Last: 18.05.2026 11:57 Sources 1

About this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...

Timeline

  1. 02.12.2025 21:06 2 articles · 7mo ago

    Shai-Hulud 2.0 NPM malware exposure of 400,000 secrets

    Initial Disclosure

    Wiz said Shai-Hulud 2.0 infected over 800 NPM package versions, published stolen data in 30,000 GitHub repositories, and exposed around 400,000 raw secrets; the leak still included hundreds of valid secrets, with more than 60% of leaked NPM tokens still valid as of December 1st, and the malware used TruffleHog without the `-only-verified` flag while also including a destructive payload that could wipe a victim’s home directory under certain conditions.

    Show sources