A new strain of the Shai Hulud npm worm has been detected in the package @vietmoney/react-big-calendar. Key changes in this variant include renamed payload files (bun_installer.js, environment_source.js), a new GitHub repository description used for data exfiltration ("Goldox-T3chs: Only Happy Girl"), renamed leaked file targets with leet-speak obfuscation, removal of the dead man switch, improved TruffleHog timeout error handling, Windows compatibility fixes for bun package publishing, and a changed ordering of secret collection. Notably, the attacker introduced a bug where the file fetch name (c0nt3nts.json) doesn't match the save name (c9nt3nts.json). The limited spread suggests this may be an early test of the new payload.
Table of contents
They made a mistakeFile structureNew GitHub repository descriptionNew leaked file namesDead man switch goneImproved error handling for TruffleHogVersion-dependent package publishingOrdering of collection of secretsSort: