Cybersecurity researchers have revealed details of what appears to be a new strain of Shai Huld on the npm registry, with some changes since the previous wave observed last month.
The npm package that embeds the new Shai Hulud strain is ‘@vietmoney/react-big-calendar’ and was uploaded to npm by a user named ‘hoquocdat’ in March 2021. First updated to version 0.26.2 on December 28, 2025. This package has been downloaded 698 times since it was first published. The latest version has been downloaded 197 times.
Aikido, who discovered the package, said that no major spread or infections have been confirmed since the package was released.
“This suggests that we may have caught the attacker testing the payload,” said security researcher Charlie Eriksen. “Differences in the code suggest that this was re-obfuscated from the original source and not modified on the fly. Therefore, it is highly unlikely that it is a copycat, but was written by someone with access to the worm’s original source code.”
The Shai-Hulud attack was first revealed in September 2025, when a trojanized npm package was discovered stealing sensitive data such as API keys, cloud credentials, npm and GitHub tokens, and exfiltrating GitHub repositories using the stolen tokens. The second wave, discovered in November 2025, contained the description “Sha1-Hulud: The Second Coming” in the repository.
However, the most important aspect of this campaign is its ability to weaponize npm tokens and scale up its supply chain compromise in a worm-like manner by acquiring the 100 other most downloaded packages associated with that developer and introducing the same malicious changes and pushing them to npm.
New strains come with noticeable changes –
The initial file is now called “bun_installer.js” and the main payload is now called “environment_source.js”. The GitHub repository where the secret was leaked has the description “Goldox-T3chs: Only Happy Girl.” The names of the files containing secrets are 3nvir0nm3nt.json, cl0vd.json, c9nt3nts.json, pigS3cr3ts.json, and actionsSecrets.json.
Other important changes include improved error handling when TruffleHog’s credential scanner times out, improvements to operating system-based package publishing, and adjustments to the order of data collection and storage.
Fake Jackson JSON Maven package drops Cobalt Strike Beacon
This development comes after the supply chain security company announced that it had identified a malicious package (‘org.fasterxml.jackson.core/jackson-databind’) on Maven Central that masquerades as a legitimate Jackson JSON library extension (‘com.fasterxml.jackson.core’). However, it incorporates a multi-step attack chain that delivers platform-specific executables. The package was then removed.
Highly obfuscated code resides within a Java archive (JAR) file and becomes activated when an unsuspecting developer adds a malicious dependency to the ‘pom.xml’ file.
“When a Spring Boot application starts, Spring scans the @Configuration class and finds JacksonSpringAutoConfiguration,” says Eriksen. “The @ConditionalOnClass({ApplicationRunner.class}) check passes (ApplicationRunner is always present in Spring Boot), so Spring registers the class as a bean. The malware’s ApplicationRunner is called automatically after the application context is loaded; no explicit call is required.”
The malware then looks for a file named “.idea.pid” in the working directory. The choice of file name is intentional and designed to blend in with the IntelliJ IDEA project file. If such a file exists, it signals to the malware that an instance of itself is already running, and it exits silently.
In the next step, the malware starts checking the operating system and connects to an external server (‘m.fasterxml’).[.]org:51211″) to obtain an encrypted response containing the URL to the payload that is downloaded based on the operating system. The payload is a Cobalt Strike beacon, a legitimate adversary simulation tool that can be used for post-exploitation or command and control.
Windows is configured to download and run a file called “svchosts.exe” from “103.127.243”.[.]82:8000,” but for Apple macOS systems, a payload called “Update” is downloaded from the same server.
Further analysis revealed that the domain fastxml was typosquatted.[.]org was registered via GoDaddy on December 17, 2025, just one week before the malicious Maven package was detected.
“This attack exploited a particular blind spot in Java’s reverse domain namespace convention: TLD-style prefix swaps,” Eriksen said. “The legitimate Jackson library uses com.fasterxml.jackson.core, but the malicious package uses org.fasterxml.jackson.core.”
According to Aikido, the issue is due to Maven Central’s inability to detect counterfeit packages that use a similar prefix to legitimate packages to trick developers into downloading them. We also recommend that package repository administrators consider maintaining a list of high-value namespaces and subject packages published in similar namespaces to additional validation to ensure they are legitimate.
Source link
