Shai-Hulud worm copycats emerge after source code leak
Shai-Hulud worm copycats emerge after source code leak
Publish Date: 2026-05-19 03:37:00
Source Domain: securityaffairs.com
Shai-Hulud worm copycats emerge after source code leak
Pierluigi Paganini
May 19, 2026
Shai-Hulud worm copycats are already attacking NPM developers after its source code leaked, enabling fast supply chain exploitation.
The first copycats of the Shai-Hulud worm have already started showing up online, only a few days after the malware’s source code was dumped on GitHub. Researchers had warned this would happen almost immediately, and they were right.
According to cybersecurity firm Ox Security, at least one threat actor is already using modified versions of the worm in attacks against NPM developers.
Shai-Hulud first appeared back in September 2025 during a series of supply chain attacks targeting the open source ecosystem. The malware resurfaced again a few months later, compromising hundreds of NPM packages and potentially affecting thousands of developers. Its main purpose was straightforward: steal credentials, tokens, API keys, and other secrets from infected machines, then use those credentials to spread further by pushing malicious updates through compromised maintainer accounts.
Things escalated earlier this year when researchers connected the malware to TeamPCP, the group tied to several attacks against the open source community, including incidents involving Trivy, Bitwarden, Checkmarx, SAP, and TanStack.
Then came the turning point: TeamPCP briefly uploaded repositories containing the full Shai-Hulud source code to GitHub. Around the same time, posts appeared on BreachForums encouraging people to reuse the malware and launch their own supply chain campaigns.
Ox Security spotted a threat actor that has already published four malicious NPM packages, including a direct clone of Shai-Hulud called “chalk-tempalte.” The clone is simpler than the original version and doesn’t even try particularly hard to hide itself, but the core behavior is still there.
“The…
