Infamous Shai-hulud Worm Resurfaces From the Depths

Infamous Shai-hulud Worm Resurfaces From the Depths

This campaign introduces a new variant that executes malicious code during preinstall, significantly increasing potential exposure in build and runtime environments, researchers said. The Shai-hulud worm has resurfaced, compromising over 25,000 repositories and introducing destructive capabilities that delete user files if credentials cannot be stolen.

Why This Matters

The technical reality of supply chain attacks contrasts sharply with ideal models of secure software development. While npm and other package managers aim to ensure trusted dependencies, Shai-hulud exploits lifecycle scripts (e.g., preinstall) to inject malware, bypassing traditional security checks. The scale of this attack—targeting 25,000+ repositories—highlights systemic vulnerabilities in open source ecosystems, where credentials and tokens are often stored insecurely, enabling rapid, self-replicating infections.

Key Insights

• “25,000+ repositories compromised by Shai-hulud, 2025” (Wiz Research)
• “Destructive fallback deletes user home directories if credentials fail to exfiltrate” (Koi Security)
• “NPM requires scoped, short-lived tokens to mitigate supply chain risks” (Koi Security CTO Idan Dardikman)

Practical Applications

• Use Case: ENS Domains, PostHog, and Postman repositories infected via poisoned npm packages
• Pitfall: Storing long-lived tokens in plaintext increases risk of credential theft and sabotage

References:

• https://www.darkreading.com/application-security/infamous-shai-hulud-worm-resurfaces-from-depths