The Shai-Hulud malware campaign has expanded again after attackers compromised more than 600 npm packages during a new large-scale software supply-chain attack. Security researchers said the malicious packages targeted developer environments, CI/CD systems, cloud credentials, and authentication secrets tied to modern software workflows.
The latest campaign spread rapidly through the npm ecosystem and affected packages connected to widely used JavaScript development environments. Researchers warn that the operation represents another major escalation in the ongoing Shai-Hulud malware campaign targeting open-source infrastructure.
Attackers Uploaded Hundreds of Malicious npm Packages
Researchers said threat actors published hundreds of malicious package versions within a very short time window. Many compromised packages reportedly belonged to the @antv ecosystem, which includes libraries used for graph visualization, charting, mapping, and frontend development projects.
The Shai-Hulud malware focused heavily on stealing sensitive information from developer systems and CI/CD environments. Investigators said the payload attempted to collect GitHub credentials, authentication tokens, cloud API keys, cryptocurrency wallet information, and configuration files containing secrets.
Researchers also discovered that attackers used decentralized communication channels to exfiltrate stolen information, making detection and infrastructure takedowns more difficult. Some variants reportedly used compromised GitHub repositories as secondary exfiltration channels.
The infected packages could automatically execute malicious scripts during installation, allowing the malware to spread quickly through trusted development workflows and automated pipelines.
The Shai-Hulud Malware Campaign Keeps Evolving
The latest incident builds on earlier Shai-Hulud malware waves that previously compromised hundreds of npm packages and thousands of repositories across the open-source ecosystem.
Researchers said the operation has evolved significantly since earlier campaigns first appeared. Previous attacks reportedly targeted ecosystems connected to TanStack, Mistral AI, UiPath, and other major software environments.
Investigators also warned that newer Shai-Hulud malware variants contain stronger obfuscation techniques, persistence mechanisms, and expanded credential-harvesting functionality targeting cloud services and development platforms.
Some versions reportedly attempted to establish persistence through development tools and operating system services, allowing infections to survive restarts and certain remediation efforts.
Security researchers believe the attackers continue refining the malware to improve stealth, automate propagation, and increase the amount of sensitive information stolen from compromised environments.
Supply-Chain Attacks Continue Growing
The latest Shai-Hulud malware wave highlights the growing risks surrounding software supply-chain attacks targeting open-source ecosystems. Modern applications often depend on thousands of external packages, which creates major opportunities for attackers to compromise downstream systems through trusted dependencies.
Researchers warned that supply-chain attacks can spread extremely quickly because malicious packages may automatically propagate through development pipelines, cloud environments, and production systems before detection occurs.
Security experts advised organizations to audit dependencies immediately, rotate potentially exposed credentials, and monitor CI/CD environments for suspicious activity. Researchers also recommended restricting automatic dependency updates and strengthening controls around package publishing workflows.
The incident also demonstrates why developer ecosystems have become valuable targets for cybercriminals. Compromising a single trusted package can potentially expose thousands of organizations and cloud environments simultaneously.
Conclusion
The Shai-Hulud malware campaign continues expanding as attackers compromise hundreds of npm packages through increasingly sophisticated supply-chain attacks. Researchers said the latest wave targeted developer systems, CI/CD environments, cloud credentials, and authentication secrets connected to modern software workflows.
The incident also shows how cybercriminal groups continue refining supply-chain attack techniques to spread malware rapidly through trusted open-source ecosystems. As software dependencies remain deeply integrated into development environments, organizations face growing pressure to strengthen package security and monitor third-party software risks more aggressively.
0 responses to “Shai-Hulud Malware Hits 600 npm Packages in New Attack”