Security researchers have identified what appears to be the first instance of a newly modified Shai Hulud malware strain uploaded to the npm registry approximately 30 minutes ago, disguised within the package @vietmoney/react-big-calendar.
The discovery suggests threat actors are testing updated payloads before launching widespread attacks, with significant code modifications indicating access to the original malware source code rather than copycat activity.
The timing of this detection is critical. Unlike previous Shai Hulud campaigns that achieved significant spread before detection, this variant shows no signs of central infections or distribution, strongly suggesting researchers caught the attackers during their testing phase.
Analysis of the obfuscated code reveals the malware was regenerated from the source code rather than modified in place, pointing to sophisticated threat actors with access to the worm’s foundational codebase.
Critical Code Changes
The new strain introduces several notable modifications to its operational structure. The initial infection file has been renamed from its original designation to “bun_installer.js,” while the main payload now operates as “environment_source.js.”
These changes represent a deliberate attempt to evade signature-based detection mechanisms that may have catalogued previous versions.
However, the threat actors made a critical programming error in their file naming scheme. The malware attempts to fetch “c0nt3nts.json” from compromised GitHub repositories but mistakenly saves the file as “c9nt3nts.json.”
This typo creates a functional break in the malware’s data exfiltration chain, potentially disrupting its ability to store and retrieve stolen information properly.
When leaking data to GitHub repositories, the new variant now assigns the repository description “Goldox-T3chs: Only Happy Girl,” replacing the previous identifier “Sha1-Hulud: The Second Coming.”
This change enables researchers to track infected repositories more effectively while simultaneously serving as an attribution marker for this particular campaign.
Operational Improvements
The modified strain demonstrates several technical improvements over its predecessor. Enhanced error handling for TruffleHog secret scanning now includes timeout mechanisms, with the code explicitly killing processes that exceed execution time limits.
The leaked data files have been renamed to “3nvir0nm3nt.json,” “cl0vd.json,” “c9nt3nts.json,” “pigS3cr3ts.json,” and “actionsSecrets.json,” likely designed to evade detection systems looking for previous file naming patterns.
Notably, the dead man switch mechanism present in earlier versions has been removed entirely, representing a significant operational shift that reduces the malware’s ability to trigger failsafe actions if detected.
The worm now includes platform-specific package publishing capabilities, addressing a previous limitation where Windows systems failed to execute Bun commands properly by implementing conditional logic to call “bun.exe” on Windows platforms.
A subtle but important modification appears in the order of secret collection operations. The new version saves the “contents” file last rather than first, suggesting intentional changes to the data gathering sequence that may improve operational security or exfiltration efficiency.
Organizations using npm packages should immediately audit their dependencies for the @vietmoney/react-big-calendar package and implement enhanced monitoring for the GitHub repository descriptions and file naming patterns associated with this campaign.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.