Find notable cyber news and cases, enriched with sources, timelines, and signals.

Shai Hulud modified npm strain in @vietmoney/react-big-calendar

Malware Activity
First reported
Last updated
Happening score
H score 31
1 unique sources, 1 articles

Summary

Hide ▲

A modified Shai Hulud strain surfaced in the npm registry inside @vietmoney/react-big-calendar, raising supply-chain risk even though observed spread remained limited. The package was updated to 0.26.2 on December 28, 2025, and the code changes suggest the payload was tested rather than broadly deployed. Earlier Shai Hulud waves in September and November 2025 stole API keys, cloud credentials, and npm/GitHub tokens, then exfiltrated them to GitHub repositories. The malware also uses stolen npm tokens to republish other popular packages, creating a worm-like mechanism for wider compromise.

Related Happenings

Shai-Hulud PyPI supply-chain malware activity

Malware Activity
H score22 First: 08.06.2026 23:41 Last: 08.06.2026 23:41 Sources 1

About this happening: The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
H score56 First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
H score68 First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...

Latest development: 09.06.2026 18:42

On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.

TeamPCP Mini Shai-Hulud npm supply-chain campaign

Campaign
H score75 First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is an active **npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread tro...

Timeline

  1. 31.12.2025 15:29 1 articles · 6mo ago

    @vietmoney/react-big-calendar updated with modified Shai Hulud

    Technical Analysis Update

    The npm package @vietmoney/react-big-calendar was updated on December 28, 2025 to version 0.26.2 and carried a modified Shai Hulud strain, including the bun_installer.js initial file, the environment_source.js payload, better error handling when TruffleHog's credential scanner times out, improved operating system-based package publishing, and changes to the order of data collection and saving.

    Show sources
  2. 31.12.2025 15:29 2 articles · 6mo ago

    Researchers disclose modified Shai Hulud strain

    Initial Disclosure

    Researchers identified a modified Shai Hulud strain in the npm registry embedded in @vietmoney/react-big-calendar, and Aikido had not observed major spread or infections after the release; Charlie Eriksen said the differences in the code suggest the payload was obfuscated again from the original source and may have been tested rather than broadly deployed.

    Show sources