New 'Shai Hulud' malware targets npm ecosystem: What to know
India's cybersecurity agency, CERT-In, just flagged a new malware worm called Shai Hulud that's targeting the npm ecosystem—the backbone for JavaScript packages used by millions of developers.
This worm sneaks malicious scripts into npm packages, letting it spread quickly across projects and potentially causing major supply chain headaches.
Here's how the worm works
It all starts with phishing attacks that steal npm maintainer credentials.
Once in, attackers upload infected package versions carrying a bundle.js file that grabs sensitive info like GitHub and cloud tokens using tools such as TruffleHog.
The stolen details are sent to attacker-run public GitHub repos named "Shai-Hulud," while the spread continues as compromised npm accounts are used to publish more infected packages—making it tough to stop the spread.
CERT-In's recommendations for developers
CERT-In says anyone building with npm—especially startups, fintechs, or e-Governance teams—should watch out for credential theft and unauthorized code running in their projects.
Their advice: audit your dependencies often, rotate credentials regularly, turn on phishing-resistant multi-factor authentication, tighten GitHub security settings, keep an eye out for unusual network activity, and check your repositories for anything suspicious.