Full Report
Cybersecurity researchers have disclosed details of what appears to be a new strain of Shai Hulud on the npm registry with slight modifications from the previous wave observed last month. The npm package that embeds the novel Shai Hulud strain is "@vietmoney/react-big-calendar," which was uploaded to npm back in March 2021 by a user named "hoquocdat." It was updated for the first time on
Analysis Summary
# Tool/Technique: Shai Hulud (Modified Strain)
## Overview
A novel strain of the Shai Hulud malware family discovered residing within an npm package. This strain exhibits modifications from previous waves, suggesting active development and obfuscation by its operators. Its primary purpose, based on historical context of the family, is to steal sensitive programmatic credentials (API keys, cloud credentials, npm/GitHub tokens) and leverage stolen tokens to propagate itself by compromising other popular packages in a "worm-like" manner.
## Technical Details
- Type: Malware family (Worm/Infostealer)
- Platform: JavaScript/Node.js environment (specifically targeting the npm ecosystem packaging structure)
- Capabilities: Credential harvesting, GitHub/npm token exfiltration, supply chain expansion via self-propagation.
- First Seen: The initial wave of Shai Hulud was spotted in September 2025; this modified strain was updated on December 28, 2025.
## MITRE ATT&CK Mapping
*Note: Mappings are based on described payload functionality and historical context of the Shai Hulud family.*
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Implied, as tokens are sent to GitHub repositories)
- **TA0009 - Collection**
- T1552 - Unsecured Credentials
- T1552.001 - Credentials From Configuration Files
- T1552.004 - Credentials From Cloud Instance Metadata
- **TA0008 - Lateral Movement**
- T1571 - Non-Standard Port (Implied by potential C2 communication; token abuse relies on legitimate services)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Code modifications suggest obfuscation)
## Functionality
### Core Capabilities
- **Credential Harvesting:** Specifically targets sensitive data such as API keys, cloud credentials, and npm and GitHub tokens from the development environment.
- **Exfiltration:** Steals the collected secrets and exfiltrates them to specific GitHub repositories.
- **Worm-like Propagation (Supply Chain Compromise):** Weaponizes stolen npm tokens to identify and fetch 100 other high-download count packages associated with the compromised developer, injects the malicious changes into them, and pushes these modified versions to npm.
### Advanced Features
- **Obfuscation:** The differences in code suggest the new strain was obfuscated again from the original source, possibly indicating access to the source code.
- **Improved Error Handling:** Better error handling implemented specifically for when credential scanners like TruffleHog time out.
- **OS-based Publishing Control:** Improved operating system-based package publishing mechanisms.
- **Execution Hiding:** New file names suggest a pattern to blend into the environment (`bun_installer.js`, `environment_source.js`).
- **Anti-Analysis/Duplicate Execution Prevention:** The malware checks for the existence of a specific file (`.idea.pid` in the working directory) as a signal that another instance is running, causing the current process to silently exit (Note: This specific feature mentioned belongs to the Cobalt Strike beacon found in a *separate* Maven sample described in the article, but is presented here as a contemporary supply chain risk.)
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names:
- Initial execution wrapper: `bun_installer.js`
- Main payload reference: `environment_source.js`
- Stored secret file names: `3nvir0nm3nt.json`, `cl0vd.json`, `c9nt3nts.json`, `pigS3cr3ts.json`, `actionsSecrets.json`
- Registry Keys: [Not applicable/Provided]
- Network Indicators: [Exfiltration targets are GitHub repositories; specific C2 domains/IPs not provided.]
- Behavioral Indicators: Package publication under the user "hoquocdat"; updates to package `@vietmoney/react-big-calendar`. GitHub repositories containing exfiltrated data feature the description: "Goldox-T3chs: Only Happy Girl."
## Associated Threat Actors
- Unknown, but authors appear to have access to the original Shai Hulud source code due to the nature of the modifications. The description associated with leaked data suggests a potential moniker: "Goldox-T3chs."
## Detection Methods
- Signature-based detection: Detection on the specific package name (`@vietmoney/react-big-calendar`) and version changes from March 2021 and December 28, 2025.
- Behavioral detection: Monitoring attempts to read/exfiltrate configuration files, tokens, or execution of obfuscated JavaScript files within a package installation lifecycle.
- YARA rules: [Not provided]
## Mitigation Strategies
- Strict dependency vetting: Scrutinizing npm packages, especially those with low activity being recently updated or those with suspicious update patterns.
- Principle of Least Privilege: Restricting the scope of permissions granted via tokens stored in the development environment.
- Monitoring for credential exfiltration activity originating from build or development systems.
## Related Tools/Techniques
- Previous Shai Hulud waves (September 2025 and November 2025).
- **Malicious Maven artifact:** The article also mentions a related, but distinct, supply chain threat involving a fake Jackson JSON Maven package delivering a Cobalt Strike Beacon, which used `.idea.pid` for self-check avoidance.