First Shai-Hulud Worm Clones Emerge

Shai-Hulud malware clone spreads via NPM, targeting developers in a new wave of open source supply chain attacks.

By Content Team

May 18, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Cybercriminals have already cloned the Shai-Hulud malware just days after TeamPCP released its source code on GitHub. The original worm first hit the open source ecosystem in September 2025, stealing credentials and API keys from developers to spread through NPM packages.

Ox Security discovered four malicious NPM packages, including 'chalk-tempalte' - a direct clone of Shai-Hulud. The packages have been downloaded over 2,600 times weekly, targeting Axios users through typo-squatting attacks. One package even enslaves infected machines into a DDoS botnet.

Security researchers warn this marks the beginning of a major wave of supply chain attacks targeting the open source community.

Source: Security Week

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Frustrated Researcher Leaks Windows Zero-Day Exploit After Microsoft Response Issues

Apr 10, 2026

Hackers Selling $220,000 Windows Zero-Day Exploit on Dark Web

Mar 9, 2026

Instructure Breach Exposes Schools' Vendor Dependence

May 7, 2026

Foster City Hit by Ransomware Attack, Plans Emergency Declaration

Mar 21, 2026