The Latest Shai-Hulud Malware is Faster and More Dangerous

A new variant of the Shai-Hulud malware is spreading rapidly through npm repositories, creating over 27,000 malicious GitHub repositories and compromising at least 700 packages, including popular ones from Zapier, ENS Domains, and PostHog. The malware generates approximately 1,000 new repositories every 30 minutes, stealing developer credentials, API tokens, SSH keys, and cloud access keys through obfuscated preinstall scripts. This iteration is more sophisticated than its September predecessor, using random repository names, Bun-based payloads to evade detection, and even attempting to wipe user directories if exfiltration fails. The attack targets developers, CI/CD systems, and any workflow consuming npm packages, with the malware designed to confuse AI-powered security tools through its size and structure.