Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Modified Shai-Hulud Worm Found on npm Registry, Researchers Sound Alarm



Modified Shai-Hulud Worm Found on npm Registry, Researchers Sound Alarm

Cybersecurity researchers have recently discovered a modified strain of the Shai Hulud worm on the npm registry. According to research team Aikido, this appears to be an attacker testing malware payloads. The attackers had access to the original source code for the worm and exploited specific vulnerabilities in Java's reverse-domain namespace convention.

The malicious package "org.fasterxml.jackson.core/jackson-databind" was found on Maven Central and used as an attack vector. It exploits a blind spot in Java's reverse-domain namespace convention, according to Aikido. The attackers had access to the original source code for the worm and used it to test their payload.

The modified Shai Hulud worm appears to be testing payloads and was discovered on January 2026. According to Charlie Eriksen of Aikido, "This suggests we may have caught the attackers testing their payload." The researchers also found that this malware exploited specific vulnerabilities in Java's reverse-domain namespace convention.

Cybersecurity experts are warning developers about a new threat to use packages on Maven Central. Aikido reported that they found the malicious package "org.fasterxml.jackson.core/jackson-databind" on Maven Central, which is a legitimate Jackson JSON library extension but poses as an attack vector.

The attackers had access to the original source code for the worm and used it to test their payload. The modified Shai Hulud worm appears to be testing payloads and was discovered in January 2026. According to Eriksen, "the differences in the code suggest that this was obfuscated again from the original source, not modified in place." This suggests that the researchers may have caught an attacker who is testing new versions of malware.

Cybersecurity researchers are sounding the alarm about a new strain of Shai-Hulud worm on npm registry. The attackers had access to the original source code for the worm and used it to test their payload. Aikido reported that this malicious package "org.fasterxml.jackson.core/jackson-databind" was found on Maven Central, which is a legitimate Jackson JSON library extension but poses as an attack vector.

The modified Shai Hulud worm appears to be testing payloads and was discovered in January 2026. According to Eriksen, "the differences in the code suggest that this was obfuscated again from the original source, not modified in place." This suggests that the researchers may have caught an attacker who is testing new versions of malware.

The attackers had access to the original source code for the worm and used it to test their payload. Cybersecurity experts are warning developers about a new threat to use packages on Maven Central.

The modified Shai Hulud worm appears to be testing payloads and was discovered in January 2026. According to Eriksen, "the differences in the code suggest that this was obfuscated again from the original source, not modified in place." This suggests that the researchers may have caught an attacker who is testing new versions of malware.

Aikido reported that they found the malicious package "org.fasterxml.jackson.core/jackson-databind" on Maven Central, which is a legitimate Jackson JSON library extension but poses as an attack vector. The attackers had access to the original source code for the worm and used it to test their payload.

The modified Shai Hulud worm appears to be testing payloads and was discovered in January 2026. According to Eriksen, "the differences in the code suggest that this was obfuscated again from the original source, not modified in place." This suggests that the researchers may have caught an attacker who is testing new versions of malware.

The attackers had access to the original source code for the worm and used it to test their payload. Cybersecurity experts are warning developers about a new threat to use packages on Maven Central.



  • New strain of Shai Hulud worm discovered on npm registry, testing payloads.
  • Researchers believe attackers had access to original source code for the worm.
  • Malware exploits vulnerabilities in Java's reverse-domain namespace convention.
  • Patch released for Actively Exploited CVE-2025-40602 in SMA 100 Appliances.
  • North Korea-linked hackers accused of stealing $2.02 billion in 2025.



    • THN is reporting that cybersecurity researchers have recently discovered a modified strain of the Shai Hulud worm on the npm registry. The finding comes as a result of researchers identifying a package called "@vietmoney/react-big-calendar" which was uploaded to npm in March 2021 by a user named "hoquocdat." It has been reported that this package underwent its first update for version 0.26.2, on December 28, 2025.

    The research team Aikido found that the modified Shai Hulud worm appeared to be testing payloads and was discovered in January 2026. According to Charlie Eriksen of Aikido, "This suggests we may have caught the attackers testing their payload." This suggests that the researchers may have stumbled upon an attacker who is testing new versions of malware.

    Eriksen further stated that "the differences in the code suggest that this was obfuscated again from the original source, not modified in place. This makes it highly unlikely to be a copy-cat, but was made by somebody who had access to the original source code for the worm." The Shai Hulud attack first came to light in September 2025 when trojanized npm packages were found stealing sensitive data like API keys, cloud credentials, and npm and GitHub tokens.

    In the second wave spotted in November 2025, the repositories contained the description "Sha1-Hulud: The Second Coming." However, the most important aspect of this campaign is its ability to weaponize npm tokens. This allows the attackers to fetch 100 other most-downloaded packages associated with the developer and introduce similar malicious changes to push them to npm.

    The new strain of Shai Hulud appears to have notable differences. The initial file has been renamed "bun_installer.js" and its main payload is now referred to as "environment_source.js." There are also GitHub repositories that contain descriptions labeled as "Goldox-T3chs: Only Happy Girl."

    Furthermore, the researchers discovered files with names such as 3nvir0nm3nt.json, cl0vd.json, c9nt3nts.json, pigS3cr3ts.json, and actionsSecrets.json. These modifications suggest that the attackers have made an effort to blend their malware in with legitimate software.

    Fortinet's FortiGate is currently under attack via a SAML SSO authentication bypass vulnerability. It has also been revealed that compromised IAM credentials are powering a large AWS crypto mining campaign. In addition, researchers discovered that GhostPoster Malware was found in 17 Firefox add-ons with over 50,000 downloads. Kimwolf Botnet hijacks 1.8 million Android TVs and launches large-scale DDoS attacks. SonicWall has released patches for Actively Exploited CVE-2025-40602 in SMA 100 Appliances.

    Cisco warned of active attacks exploiting an unpatched 0-day in AsyncOS Email Security Appliances. North Korea-linked hackers have been accused of stealing $2.02 billion in 2025, leading to global crypto thefts. ThreatsDay bulletin includes WhatsApp hijacks, MCP leaks, AI Recon, React2Shell Exploit and more.

    The UEFI flaw allows early-boot DMA attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards. WatchGuard warned of active exploitation of a critical firewall OS VPN vulnerability. The U.S. Department of Justice has charged 54 individuals in an ATM jackpotting scheme using Ploutus Malware.

    Cybersecurity firm Swiss-Encrypted Business Password Vault provides zero-trust control across your organization. Passwd is the best team password manager for Google Workspace. The Privacy-by-Design Code Scanner can aid AI-fueled development and Seraphic turns any browser into a zero-trust enterprise shield.

    Cybersecurity webinars, such as "Simplify SOC Operations" and "How AI and Zero Trust Work Together to Catch Attacks With No Files or Indicators," will help you learn about using AI and cloud security.

    Researchers from Aikido have stated that they found the malicious package "org.fasterxml.jackson.core/jackson-databind" on Maven Central, which is a legitimate Jackson JSON library extension but poses as an attack vector.

    The development comes as a major threat to developers who frequently use packages on Maven Central. When an unsuspecting developer adds this malicious dependency to their "pom.xml" file, Spring Boot's application context starts scanning for @Configuration classes and registers the class as a bean after finding it.

    In its next step, the malware proceeds to look for a specific file named ".idea.pid" in the working directory that contains information about an already running instance of itself. Should such a file exist, the malware will silently exit without any further action.

    The malicious code then contacts an external server via SAML authentication with encrypted response containing URLs to download payloads based on the operating system. The payload is a Cobalt Strike beacon, a legitimate adversary simulation tool that can be used for post-exploitation and command-and-control.

    In their analysis, researchers found out that this attack exploited specific blind spots in Java's reverse-domain namespace convention. This vulnerability stems from Maven Central not being able to detect copycat packages using similar prefixes to deceive developers into downloading them.

    It is recommended by Aikido that package repository maintainers should consider maintaining a list of high-value namespaces and subject any published package under similar-looking namespaces to additional verification to ensure they are legitimate.

    In conclusion, researchers have discovered a modified strain of the Shai Hulud worm on npm registry which was testing payloads. The attackers had access to the original source code for the worm. Aikido reported that this malware exploited specific vulnerabilities in Java's reverse-domain namespace convention.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Modified-Shai-Hulud-Worm-Found-on-npm-Registry-Researchers-Sound-Alarm-ehn.shtml

  • https://thehackernews.com/2025/12/researchers-spot-modified-shai-hulud.html

  • https://cybernews.com/security/shai-hulud-malware-3rd-variant-detected-supply-chain-threat/

  • https://www.ox.security/blog/shai-hulud-3-the-attack-continues/

  • https://thecyberexpress.com/shai-hulud-golden-path-malwar-npm-supply-chain/

  • https://www.aikido.dev/blog/shai-hulud-strikes-again---the-golden-path

  • https://securityaffairs.com/185921/malware/massive-android-botnet-kimwolf-infects-millions-strikes-with-ddos.html

  • https://thehackernews.com/2025/12/kimwolf-botnet-hijacks-18-million.html

  • https://thehackernews.com/2025/12/us-doj-charges-54-in-atm-jackpotting.html

  • https://www.securityweek.com/54-charged-in-us-over-atm-attacks-involving-ploutus-malware/

  • https://otx.alienvault.com/indicator/file/7afaf7619cf0f8085ec590f26beaa9af

  • https://www.eset.com/us/about/newsroom/corporate-blog/state-aligned-apt-groups-are-increasingly-deploying-ransomware-and-thats-bad-news-for-everyone/


    • Published: Wed Dec 31 08:14:44 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us