Security company Aikido Security has discovered a third variant of the JavaScript malware Shai Hulud. This raises concerns about the security of the open source supply chain.
The malware was found in an npm package called @vietmoney/react-big-calendar and appears to be part of a controlled test by the attackers. At the time of discovery, there are no indications of large-scale distribution, suggesting that the campaign was intercepted at an early stage.
Shai Hulud was first observed in September and specifically targets the JavaScript ecosystem. Instead of attacking end users, the malware focuses on developers by hiding malicious code in npm packages. Once such a package is installed, the malware attempts to collect sensitive information, including environment variables, API keys, and secrets from cloud and CI/CD environments. This data is then automatically leaked to GitHub repositories created by the attacker.
The newly discovered variant, referred to by researchers as Shai Hulud 3.0, shows that the attackers continue to refine their techniques. The code has been further split up, more heavily obfuscated, and modified to better handle errors while stealing secrets. The malware is also now more compatible with various JavaScript runtimes, including Windows environments, which previous variants did not reliably support.
Notably, researchers found a programming error where the malware attempts to download a file under a different name than the one under which it is stored locally. These types of inconsistencies indicate that the attackers are experimenting with new versions before launching a large-scale attack. Aikido Security states that the code has not simply been copied, but rebuilt with access to the original source code, suggesting that the same actor or group is responsible.
Read also: NPM hit again by Shai-Hulud worm attack
No dead man switch
Unlike previous variants, Shai Hulud 3.0 does not contain a so-called dead man switch. This is a mechanism that can cause damage when the malware is removed or disrupted. External security experts point out that this makes the malware an untargeted and difficult-to-stop weapon. Patrick Munch, chief security officer at Mondoo, warns that the rapid evolution of Shai Hulud shows how attractive the software supply chain has become to attackers, reports SiliconANGLE.
The discovery follows shortly after the discovery of a second Shai Hulud variant just before Christmas, which was flagged by detection and response company Expel. According to researchers, the fact that multiple security companies are independently encountering new variants underscores that this is not a one-off incident, but an active and evolving malware campaign.
Although the immediate impact of this specific discovery appears limited, the incident once again highlights the vulnerability of modern development environments. By hiding malicious code in trusted open source dependencies, attackers can bypass perimeter security and gain direct access to systems containing valuable cloud and deployment secrets. Aikido Security therefore expects similar attacks to occur more frequently as long as dependency management and monitoring receive insufficient attention.