TeamPCP Open-Sources Shai-Hulud Worm on GitHub; Clones Proliferate in NPM Attacks
The TeamPCP malware crew released the Shai-Hulud worm's source code on GitHub under MIT license, triggering an immediate wave of clones and copycat campaigns targeting npm developers — including the first reported clone-attack and subsequent npm package compromises.
At least one threat actor has adopted the recently leaked source code of the Shai-Hulud worm in active attacks against NPM developers, according to a report from SecurityWeek. This marks the first observed in-the-wild exploitation of the Shai-Hulud code, which was originally disclosed as a proof-of-concept malware strain designed to spread through the Node.js package ecosystem. The worm clones itself by compromising developer environments and injecting malicious packages, posing a significant supply-chain risk to the JavaScript ecosystem.
The Shai-Hulud worm, named after the sandworms from Frank Herbert's Dune series, was first detailed by security researchers as a self-replicating malware that targets the NPM registry. Its source code was later leaked, enabling other threat actors to repurpose it for real-world attacks. The worm operates by infecting developer machines, then using stolen credentials or access tokens to publish malicious packages to the NPM registry. These packages can then be downloaded by unsuspecting developers, propagating the infection further.
The current campaign represents a dangerous escalation, as the worm's ability to self-replicate through the software supply chain amplifies its impact. Unlike traditional malware that relies on phishing or drive-by downloads, Shai-Hulud leverages the trust inherent in open-source package registries. Once a developer's environment is compromised, the worm can automatically push updates to existing packages or create new ones that appear legitimate, making detection difficult.
The impact on the JavaScript ecosystem could be severe. NPM is the largest package registry in the world, hosting millions of packages used by developers globally. A successful worm outbreak could lead to widespread credential theft, data exfiltration, and backdoor installations across countless applications. Security experts warn that the worm's self-propagating nature means a single compromised developer could trigger a cascade of infections.
As of now, no specific CVE identifiers have been assigned to this campaign, as it leverages the existing Shai-Hulud code rather than a new vulnerability. However, the threat is being closely monitored by security firms and the NPM security team. Developers are urged to audit their dependencies, enable two-factor authentication on their NPM accounts, and avoid running untrusted code in their development environments.
The emergence of Shai-Hulud clones underscores a broader trend of proof-of-concept malware being weaponized by real-world attackers. As source code for sophisticated malware becomes more accessible, the line between research and threat continues to blur. This incident serves as a stark reminder of the fragility of the open-source software supply chain and the need for robust security practices among developers.
OX Security researchers have identified four malicious npm packages—chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils—published by the same user, with over 3,000 total downloads. One package (chalk-tempalte) is a direct clone of the Shai-Hulud worm, while axois-utils delivers a Golang-based DDoS botnet called Phantom Bot, and the remaining two steal SSH keys, cloud credentials, and cryptocurrency wallet data. The packages remain available on npm, and users are advised to remove them, rotate secrets, and block communication with the identified C2 servers.
TanStack disclosed that its own repository was compromised via a malicious pull request exploiting the pull_request_target GitHub Actions feature to run the Shai-Hulud worm, poisoning caches across the project. In response, TanStack has removed pull_request_target, disabled caches, pinned actions to commit SHAs, and enabled pnpm 11's minimumReleaseAge. The team is now considering invitation-only pull requests to prevent future attacks, a significant shift from open-source norms that could impact the broader community.
The Risky Business podcast episode #807 provides additional context on the Shai-Hulud worm's scale, noting that it has now infected over 180 software packages and is actively stealing credentials from developer machines. The discussion highlights the worm's self-replicating ability to autonomously propagate across the npm registry, posing a significant supply-chain risk to the JavaScript ecosystem. This aligns with earlier reports of cloned variants targeting NPM developers, confirming the worm's ongoing and expanding threat.