SlowMist: Project teams should be wary of the latest variant of NPM supply chain attacks, Shai-Hulud 3.
TL;DR
SlowMist warns of a new NPM supply chain attack variant, Shai-Hulud 3, discovered on December 28, 2025. It targets developer credentials and secrets, with limited spread currently.
Tags
ChainCatcher reports that 23pds, Chief Information Security Officer of SlowMist Technology, issued a security alert that a new variant of the NPM supply chain attack, "Shai-Hulud 3," has struck again. Projects and platforms are urged to take precautions. Previously, it was suspected that the Trust Wallet API key leak may have been caused by the Shai-Hulud 2 attack.
Shai-Hulud is a series of self-propagating worm-like supply chain attacks targeting the NPM ecosystem to steal developer credentials, cloud keys, and environment secrets. The latest variant (known in the community as Shai-Hulud 3 or the new strain) was discovered by Aikido Security researcher Charlie Eriksen on December 28, 2025. Currently, its spread is limited and it may only be in the testing phase.