348/68 Thursday, September 18, 2025
Cybersecurity researchers from ReversingLabs have disclosed a newly discovered worm called “Shai-hulud”, which is rapidly spreading across open-source software, particularly through NPM packages. The malware leverages self-replication mechanisms, enabling it to spread quickly across hundreds of projects while stealing sensitive information such as secrets, tokens, and login credentials-all with minimal direct involvement from attackers. The discovery was made on September 15, and the worm was named after the giant sandworm “Shai-hulud” from the Dune movie, reflecting its aggressive propagation behavior.
The Shai-hulud worm operates by infecting an NPM package. Once developers download and use the compromised package, the worm executes immediately to steal sensitive data from the developer’s environment. It then uses the stolen information to access the developer’s NPM account and spread itself to other projects under their control, creating an endless propagation cycle. The worm also installs Trufflehog to search for hidden secrets within packages and attempts to make private repositories public, thereby exposing source code and identifying additional vulnerabilities to exploit.
According to ReversingLabs, the suspected “Patient Zero” package was “rxnt-authentication”, which may have been compromised through a social engineering attack, similar to the earlier case of developer Qix, whose hacked NPM account impacted 18 popular applications with over 2 billion downloads per week. Although that incident was contained quickly, Shai-hulud is considered far more dangerous, as its primary objective is to exfiltrate as many secrets as possible. At this stage, it remains unclear how attackers intend to use the stolen data. Researchers urge all open-source contributors and developers to urgently review their NPM accounts, especially if they have recently downloaded potentially suspicious packages.
Source https://www.darkreading.com/application-security/self-replicating-shai-hulud-worm-npm-packages
