malware🌐InternationalThe Hacker News
New Shai Hulud npm Strain & Malicious Maven Package Disclosed
Wednesday, December 31, 2025
What
Two distinct software supply chain attacks were disclosed: a new Shai Hulud npm malware strain designed to steal credentials and self-propagate, and a typosquatted Maven package delivering Cobalt Strike beacons. These incidents highlight persistent threats to developer ecosystems and the critical need for vigilance against malicious dependencies.
Where
npm registry, Maven Central, developer systems using affected packages.
When
New Shai Hulud strain updated December 28, 2025; Maven package detected shortly after December 17, 2025.
Key Factors
- •The new Shai Hulud strain features obfuscated code modifications, new file names like "bun_installer.js" and "environment_source.js", and improved error handling, suggesting continued development by the original attackers.
- •The Shai Hulud campaign leverages stolen npm tokens to weaponize and push malicious changes to up to 100 other popular packages associated with the compromised developer, enabling a worm-like supply chain compromise.
- •The malicious Maven package exploited TLD-style prefix swaps in Java's reverse-domain namespace convention (e.g., `org.fasterxml` vs. `com.fasterxml`) to deliver Cobalt Strike beacons via a multi-stage attack chain.
Takeaways
- →Developers must meticulously verify package authenticity and source, especially for popular libraries, to avoid typosquatting and supply chain attacks.
- →Package registry maintainers should implement enhanced verification for similar-looking namespaces to legitimate high-value packages, preventing deceptive copycat uploads.
Read Full Article
Opens original article on The Hacker News
