First Shai-Hulud Worm Clones Emerge in NPM Supply Chain
Published
Key Takeaways
- Rapid cloning: The first Shai-Hulud worm clones appeared days after TeamPCP released the source code.
- Malicious packages: Security researchers identified four malicious NPM packages with more than 2,600 weekly downloads.
- Supply chain: The malware self-propagates by injecting into packages maintained by compromised developers.
The first Shai-Hulud worm clones have appeared only days after the TeamPCP hacking group released the malware’s source code on GitHub. The packages seem to be part of a typo-squatting campaign that aims to infect Axios users and other generic package names.
The Shai-Hulud worm was first used in September 2025 and again in November, during supply chain attacks that hit hundreds of NPM packages and likely infected thousands of software developers.
Malicious NPM Packages and Code Cloning
The malware is specifically engineered to steal credentials, API keys, authentication tokens, and other cryptographic secrets, self-propagating by injecting malicious code into repositories and packages maintained by compromised victims. The threat re-emerged in April during a wave of supply chain attacks attributed to TeamPCP, affecting notable incidents involving Trivy, Bitwarden, Checkmarx, SAP, and TanStack.
Following the source code release, researchers at Ox Security identified four malicious NPM packages deployed by threat actors. “These malicious packages contain infostealer malware, one of which is a Shai-Hulud clone following the TeamPCP open source release, and one DDoS botnet package,” the report said.
The package “chalk-tempalte” functions as a direct clone of the original worm, implementing its own command-and-control (C2) server. Furthermore, the operators deployed other typo-squatting packages targeting developers:
- @deadcode09284814/axios-util,
- axois-utils,
- color-style-utils.
Download Impact and Botnet Integration
These four packages achieved a combined weekly download count of over 2,600. While the primary objective remains credential theft and automated propagation, the payload capabilities vary. Specifically, one of the typo-squatting packages actively adds infected machines to a distributed denial-of-service (DDoS) botnet called Phantom Bot.
Ox Security recommended the following actions:
- Uninstall the malicious packages.
- Find and delete any related malicious configuration from IDEs and Coding Agents such as Claude Code.
- Rotate your keys on the affected machine.
- Check for GitHub repositories containing the string “A Mini Sha1-Hulud has Appeared.”
- Block network access to unknown and potentially malicious domains.
Last week, TeamPCP claimed the Mistral AI breach, with the company announcing that it was impacted by the TanStack supply chain attack, and the Checkmarx Jenkins AST plugin was compromised by TeamPCP using credentials stolen in the Trivy supply chain attack.
In September 2025, multiple CrowdStrike npm packages were compromised in a growing supply chain attack identified as a continuation of the Shai-Hulud campaign.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular