Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Shai-Hulud worm clone activity on NPM

Malware Activity
First reported
Last updated
Happening score
H score 33
4 unique sources, 7 articles

Summary

Hide ▲

The Shai-Hulud malware activity has continued to evolve across the npm supply chain and related developer ecosystems. It first infected npm packages in September 2025, self-replicated through developer installs, and stole npm tokens, SSH keys, API keys, and other secrets before publishing stolen credentials in public GitHub repositories. In November 2025, the campaign expanded into Maven through org.mvnpm:posthog-node:4.18.1, with the same payload components linked to compromised PostHog releases and more than 28,000 affected repositories. A later May 2026 wave showed clone activity after TeamPCP released the malware source code, including malicious NPM packages that targeted Axios users, reused worm logic, and in one case pulled infected machines into a DDoS botnet.

Related Happenings

Malware-Slop malicious npm file-theft campaign

Campaign
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...

Open Happening

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...

Open Happening

GlassWorm supply-chain malware activity

Malware Activity
First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Open Happening

Laravel Lang organization hit by network compromise

Incident
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...

Open Happening

Laravel Lang credential-stealer dropper delivered through malicious Composer packages

Malware Activity
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...

Open Happening

Timeline

  1. 18.05.2026 12:45 3 articles · 9d ago

    Shai-Hulud clones and malicious NPM packages surface after source-code release

    Initial Disclosure

    Shai-Hulud worm clones surfaced on GitHub only days after TeamPCP released the malware source code, and a threat actor published four malicious NPM packages targeting Axios users and the broader open source package ecosystem. One package, 'chalk-tempalte', was a direct clone of the worm and used its own C&C server and private key, while the others used typosquatting; the code stole credentials, API keys, tokens, and other secrets, republished malicious versions through victim-maintained packages, and in one case pulled infected machines into a DDoS botnet. The four packages had a combined weekly download count of over 2,600.

    Show sources
    Open in new tab
  2. 26.11.2025 20:08 2 articles · 6mo ago

    Shai-Hulud v2 expands from npm into Maven

    Campaign Scope Update

    Shai-Hulud v2 expanded from npm into Maven after a mirrored Maven Central artifact, org.mvnpm:posthog-node:4.18.1, was found to embed setup_bun.js and bun_environment.js, the same payload components linked to the wider campaign; the activity was also tied to compromised PostHog releases in both JavaScript/npm and Java/Maven ecosystems and to more than 28,000 affected repositories.

    Show sources
    Open in new tab
  3. 23.09.2025 12:20 1 articles · 8mo ago

    GitHub hardens npm publishing after Shai-Hulud

    Mitigation Patch Update

    GitHub is tightening npm authentication and publishing controls in response to the Shai-Hulud supply-chain worm, deprecating legacy classic tokens and TOTP 2FA, shortening granular publishing tokens to seven days, defaulting publishing to trusted publishing or 2FA-enforced local publishing, removing the option to bypass 2FA, and expanding trusted publishing providers.

    Show sources
    Open in new tab
  4. 16.09.2025 17:08 1 articles · 8mo ago

    Shai-Hulud worm first compromises NPM packages

    Exploitation Observed

    Shai-Hulud infected NPM packages and began self-replicating through developer installs, stealing npm tokens, SSH keys, API keys, and other secrets before publishing stolen credentials in public GitHub repositories. The first compromised NPM package was altered around 17:58 UTC on Sept. 14, and CrowdStrike-managed packages were briefly affected before malicious versions were removed.

    Show sources
    Open in new tab