Shai-Hulud 3.0: npm Supply Chain Worm Reappears With Enhanced Obfuscation

Executive Summary: The Three-Headed Mystery

Shai-Hulud 3.0, the sandworm, is back. But is it a new monster, or just the same old worm with a new trick?

The security community is currently buzzing about rumors of “Shai-Hulud 3.0.” Reports suggest the sandworm has returned and panic levels are high. But when we look at the data, the real question is simpler: is a three-headed Shai-Hulud actually different from what we’ve already seen?

This latest variant was discovered in the npm package @vietmoney/react-big-calendar @0.26.2. While the malware shows signs of evolution, primarily increased obfuscation and reliability improvements, the underlying campaign remains focused on abusing install-time execution to steal secrets and evade detection.

What Is Shai-Hulud 3.0?

Shai-Hulud 3.0 is an updated variant of the Shai-Hulud npm supply chain worm that propagates through malicious package publication. Despite community speculation about a “three-headed” new threat, analysis shows the core infection and exfiltration mechanics remain unchanged from earlier versions.

The primary difference lies in string obfuscation, error handling, and Windows compatibility, all aimed at increasing campaign longevity rather than introducing novel exploitation techniques.

Where Was the Malware Found?

The latest Shai-Hulud variant was identified in the following npm package:

• Package: @vietmoney/react-big-calendar
• Version: 0.26.2

This package embeds malicious install-time logic that executes immediately when the dependency is installed, making it particularly dangerous in CI/CD and developer environments.

How the Shai-Hulud 3.0 Worm Works

Install-Time Execution via Lifecycle Sprints

Shai-Hulud 3.0 relies on the same core technique as previous versions:

1. A preinstall script defined in package.json executes automatically.
2. The script launches bun_installer.js, invoking the Bun runtime.
3. Malicious code is executed before developers or scanners can intervene.

This approach continues to bypass defenses that focus on runtime-only behavior.

Payload Execution and Secret Exfiltration

Once installed, the malware loads environment_source.js, which contains the primary payload. The code:

• Uses TruffleHog to scan the local system for:
  • API tokens
  • Cloud credentials
  • CI secrets
    
• Improves reliability by:
  • Handling TruffleHog timeouts more gracefully
  • Explicitly invoking bun.exe to support Windows-based publishing workflows

Extracted secrets are written to disk and later exfiltrated to attacker-controlled infrastructure.

Attacker Mistakes and Behavioral Changes

Even with improved obfuscation, researchers observed operational errors:

• The malware attempts to retrieve c0nt3nts.json from GitHub.
• Exfiltrated data is saved locally as c9nt3nts.json, indicating a filename mismatch.
• The dead-man switch observed in earlier Shai-Hulud versions appears to have been removed.

These inconsistencies provide valuable detection opportunities for defenders.

Indicators of Compromise (IOCs)

To help security teams monitor for this threat, the following IOCs have been identified in the latest variant:

Affected Package:

• Name: @vietmoney/react-big-calendar
• Version: 0.26.2

Malicious Files:

• Initial Installer: bun_installer.js
• Main Payload: environment_source.js

Exfiltrated Data Artifacts:

Monitor repositories and systems for:

• 3nvir0nm3nt.json

• pigS3cr3ts.json

• actionsSecrets.json

• cl0vd.json

• c9nt3nts.json

• c0nt3nts.json

GitHub Metadata

• Repository Description: Goldox-T3chs: Only Happy Girl.
• Search String: SHA1HULUD (present in the GitHub actions runner code)

Mitigation Guidance

Immediate Actions:

• Remove @vietmoney/[email protected] from all environments.
• Rotate all credentials accessible from affected systems.
• Audit CI/CD pipelines for unauthorized lifecycle script execution.
  

Long-Term Defenses:

• Enforce allowlists for dependency lifecycle scripts.
• Monitor for install-time execution and outbound network calls during builds.
• Continuously inventory newly published or republished npm packages.

How Upwind Protects You

• Comprehensive dependency intelligence that maps every package and version used across your environment, automatically highlighting suspicious or newly published artifacts consistent with Shai Hulud’s republishing patterns. Upwind identifies risky dependency chains before they reach production.
• Real-time runtime monitoring through Upwind’s sensor technology, which detects abnormal install-time activity such as unexpected lifecycle scripts, token-harvesting attempts, unauthorized workflow creation, and outbound connections initiated by malicious package payloads.
• Behavior-based detection that analyzes developer, CI, and workload activity to surface patterns the Shai Hulud worm relies on—obfuscated script execution, unusual automation identities, rapid repository changes, and anomalies in client-side or build-time behavior.
• Context-driven risk prioritization that correlates compromised packages with the workloads, developers, and secrets they impact. Upwind provides clear, actionable guidance so security teams can quickly isolate affected systems, rotate credentials, and restore clean dependencies.

For support in identifying compromised packages, reach out to [email protected].

Related Research

For historical context and deeper technical analysis, see our technical deep-dive on Shai-Hulud 2.0: npm Supply Chain Worm Attack: https://www.upwind.io/feed/shai-hulud-2-npm-supply-chain-worm-attack