Shai Hulud modified npm strain in @vietmoney/react-big-calendar
Malware Activity
Summary
Hide ▲
Show ▼
A modified Shai Hulud strain surfaced in the npm registry inside @vietmoney/react-big-calendar, raising supply-chain risk even though observed spread remained limited. The package was updated to 0.26.2 on December 28, 2025, and the code changes suggest the payload was tested rather than broadly deployed. Earlier Shai Hulud waves in September and November 2025 stole API keys, cloud credentials, and npm/GitHub tokens, then exfiltrated them to GitHub repositories. The malware also uses stolen npm tokens to republish other popular packages, creating a worm-like mechanism for wider compromise.
Related Happenings
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
Campaign
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
CampaignAbout this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
Jason Saayman hit by network compromise
Incident
First: 31.03.2026 16:53
Last: 31.03.2026 16:53
Sources 1
About this happening:
The **Axios** npm package was compromised after maintainer **Jason Saayman**'s **npm account** was taken over, and malicious versions were published to the registry. The release c...
Jason Saayman hit by network compromise
IncidentAbout this happening: The **Axios** npm package was compromised after maintainer **Jason Saayman**'s **npm account** was taken over, and malicious versions were published to the registry. The release c...
Latest development: 01.04.2026 12:00
Google Threat Intelligence Group attributed the Axios npm supply-chain compromise to UNC1069, citing the use of WAVESHAPER.V2 and describing the actor as financially motivated and North Korea-nexus. GTIG also warned that malicious axios releases v1.14.1 and v0.30.4, delivered through Jason Saayman’s compromised account and plain-crypto-js, could have a broad blast radius across dependent packages and developer environments.
Timeline
-
31.12.2025 15:29 1 articles · 4mo ago
@vietmoney/react-big-calendar updated with modified Shai Hulud
Technical Analysis UpdateThe npm package @vietmoney/react-big-calendar was updated on December 28, 2025 to version 0.26.2 and carried a modified Shai Hulud strain, including the bun_installer.js initial file, the environment_source.js payload, better error handling when TruffleHog's credential scanner times out, improved operating system-based package publishing, and changes to the order of data collection and saving.
Show sources
- Researchers Spot Modified Shai-Hulud Worm Testing Payload on npm Registry — thehackernews.com — 31.12.2025 15:29
-
31.12.2025 15:29 2 articles · 4mo ago
Researchers disclose modified Shai Hulud strain
Initial DisclosureResearchers identified a modified Shai Hulud strain in the npm registry embedded in @vietmoney/react-big-calendar, and Aikido had not observed major spread or infections after the release; Charlie Eriksen said the differences in the code suggest the payload was obfuscated again from the original source and may have been tested rather than broadly deployed.
Show sources
- Researchers Spot Modified Shai-Hulud Worm Testing Payload on npm Registry — thehackernews.com — 31.12.2025 15:29
- Researchers Spot Modified Shai-Hulud Worm Testing Payload on npm Registry — thehackernews.com — 31.12.2025 15:29