"Aikido, which spotted the package, said it has not spotted any major spread or infections following the release of the package. "This suggests we may have caught the attackers testing their payload," security researcher Charlie Eriksen said. "The differences in the code suggests that this was obfuscated again from the original source, not modified in place. This makes it highly unlikely to be a copy-cat, but was made by somebody who had access to the original source code for the worm.""
"The npm package that embeds the novel Shai Hulud strain is "@vietmoney/react-big-calendar," which was uploaded to npm back in March 2021 by a user named "hoquocdat." It was updated for the first time on December 28, 2025, to version 0.26.2. The package has been downloaded 698 times since its initial publication. The latest version has been downloaded 197 times. Aikido, which spotted the package, said it has not spotted any major spread or infections following the release of the package."
A novel Shai Hulud strain was found embedded in the npm package @vietmoney/react-big-calendar, originally uploaded in March 2021 by user hoquocdat and updated on December 28, 2025 to version 0.26.2. The package has 698 total downloads and 197 downloads for the latest version. Detection by Aikido did not reveal major spread or infections, suggesting attackers may have been testing payloads. Code differences indicate the payload was obfuscated from the original source, implying access to original worm source rather than a copycat. The Shai-Hulud campaign steals API keys, cloud credentials, and tokens and can weaponize npm tokens to propagate malicious changes across developer packages.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]