Shai-Hulud is a worm-style malware initially used in supply chain attacks against NPM packages, designed to steal credentials, API keys, and tokens from infected developer machines. It propagates by injecting itself into packages maintained by victims and publishing malicious versions. The TeamPCP hacking group released the worm's source code publicly on GitHub, prompting rapid adoption and cloning by other threat actors. Ox Security identified at least four malicious NPM packages linked to these clones, including a direct Shai-Hulud clone named 'chalk-tempalte' and others using typo-squatting to target Axios users. These packages collectively have thousands of weekly downloads, indicating active distribution. The cloned malware variants maintain similar behavior patterns, such as uploading stolen credentials to GitHub repositories and establishing command-and-control infrastructure. This development marks the beginning of a new wave of supply chain attacks leveraging the Shai-Hulud codebase.

The Shai-Hulud worm and its clones enable attackers to steal sensitive credentials and secrets from developer environments, potentially compromising numerous NPM packages and the broader open source software supply chain. This can lead to widespread propagation of malicious code through trusted software dependencies. The presence of multiple malicious packages with thousands of weekly downloads increases the risk of infection for developers and downstream users. Additionally, some cloned packages facilitate distributed denial-of-service (DDoS) attacks, expanding the threat beyond credential theft. The public release of the source code has accelerated the spread and adaptation of this malware, increasing the scale and diversity of supply chain attacks targeting open source ecosystems.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Developers and organizations should monitor official NPM advisories and security updates for affected packages. Avoid installing or updating packages with suspicious or typo-squatted names. Employ supply chain security best practices such as verifying package integrity and provenance. Security researchers and maintainers should track and remove malicious packages from repositories promptly. Given the rapid adaptation of the malware following source code release, proactive threat intelligence and community collaboration are critical to mitigating impact.