Shai Hulud’s Return: npm’s Wormy Drama Continues!

Cybersecurity researchers have unveiled a new strain of Shai Hulud on the npm registry, suggesting attackers might be testing their payload. The npm package “@vietmoney/react-big-calendar” has been involved. With names like pigS3cr3ts.json, the creativity is matched only by the hackers’ audacity.

3P
Published: December 31, 2025 1:51 pmAdded: December 31, 2025 at 6:24 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Well folks, it seems like even in the world of cybercrime, sequels are all the rage! Shai Hulud is back, and just like the movie industry, it’s got a few new plot twists but the same old mission: stealing your secrets and causing mayhem. Meanwhile, fake Jackson JSON is causing developers to have trust issues with their libraries. Who knew Java could be so dramatic?

Key Points:

  • New strain of Shai Hulud discovered in npm package “@vietmoney/react-big-calendar.”
  • Despite a flashy name change, the malicious intent remains: exfiltrating sensitive data.
  • Goldox-T3chs is the latest cryptic code name in this cyber soap opera.
  • Fake Jackson JSON package on Maven Central delivers a malware payload.
  • Developers advised to double-check their dependencies, because trust issues just got technical.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?