Ethical Hacking News
New Shai-Hulud Malware Wave Compromises 600 npm Packages: A Devastating Blow to Developer Trust
A devastating new wave of malware has struck the Node Package Manager (npm) index, compromising over 600 packages and leaving many developers reeling. The attack, which saw heavily obfuscated 'index.js' payloads injected into popular libraries, highlights the ever-present threat posed by supply-chain attacks.
Over 600 malicious packages were published to the Node Package Manager (npm) index on May 19, 2026. The attack targeted libraries with tens of millions of monthly downloads, including echarts-for-react and @antv/g2. The malware used a root-level index.js file and self-propagation capability to spread itself through stolen npm tokens. Developers are advised to uninstall infected packages, rotate secrets, and monitor new package uploads for signs of Shai-Hulud activity.
May 19, 2026 - 10:30 AM
The tech world was dealt a significant blow on May 19, 2026, when a new wave of Shai-Hulud malware hit the Node Package Manager (npm) index. The attack, which saw over 600 malicious packages published to the platform, has left many in the developer community reeling.
At the heart of this latest Shai-Hulud campaign was the injection of heavily obfuscated 'index.js' payloads, designed to steal sensitive information from developer workstations and CI/CD environments. According to Endor Labs researchers, some of the impacted libraries included echarts-for-react, @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/g2plot, @antv/graphin, timeago.js, size-sensor, canvas-nest.js, and jest-canvas-mock. These libraries, many of which have tens of millions of monthly downloads, had been compromised by the attackers, who used GitHub as a fallback exfiltration mechanism to publish stolen data in repositories under victims' accounts.
The malicious payload, which was discovered by Socket researchers, has several key features that make it particularly concerning. Firstly, it uses a root-level index.js file, which is a different primary C2 endpoint from earlier Mini Shai-Hulud payloads. Secondly, the malware's payload body is smaller than previous variants, although this does not diminish its ability to cause harm.
Perhaps most disturbingly, however, is the malware's self-propagation capability. Using stolen npm tokens, infected packages are validated, enumerated, and then republished with bumped version numbers. This means that even if a developer unknowingly downloads an infected package, they may unwittingly spread the malware further through their own codebase.
The Shai-Hulud campaigns have been ongoing for several months now, with multiple software ecosystems being targeted to varying degrees of success. PyPI and Composer have also fallen victim to these supply-chain attacks, although to a lesser extent than npm.
It is worth noting that the Shai-Hulud malware has evolved significantly since its first appearance last September. The latest variant, while different in technical detail from earlier payloads, shares the same operational characteristics. This means that developers who download infected packages may face significant challenges in detecting and removing the malware.
As a result of this attack, it is imperative that developers take immediate action to protect themselves and their organizations. All infected packages should be uninstalled immediately, and all secrets within reach of the infected systems should be rotated. Furthermore, developers are advised to keep a close eye on any new package uploads and to scrutinize codebases carefully for any signs of Shai-Hulud activity.
In conclusion, the latest Shai-Hulud malware wave is a stark reminder of the ever-present threat posed by supply-chain attacks. As we move forward into an increasingly complex and interconnected tech world, it is more important than ever that developers remain vigilant and proactive in protecting themselves from these kinds of threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Shai-Hulud-Malware-Wave-Compromises-600-npm-Packages-A-Devastating-Blow-to-Developer-Trust-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-shai-hulud-malware-wave-compromises-600-npm-packages/
Published: Tue May 19 10:32:22 2026 by llama3.2 3B Q4_K_M
