Tag: worm
-
Sha1-Hulud Attack Hits 800+ npm Packages and Thousands of GitHub Repos
Shai-Huluda, a self-replicating npm worm named after the sandworms in Dune, had struck again. This time, the attack was devastating in scale and sophistication, compromising over 800 npm packages with a combined 132 million monthly downloads across the ecosystem. The timing proved particularly strategic. The attack occurred just weeks before npm’s December 9 deadline to…
-
New Shai-Hulud Worm Spells Trouble For npm Users
Tags: wormA new version of the Shai-Hulud worm has infected hundreds of npm packages and caused disruption to global CI/CD workflows First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/new-shaihulud-worm-trouble-npm/
-
Shai-Hulud worm returns stronger and more automated than ever before
Self-replicating malware has infected almost 500 open-source packages, exposing more than 26,000 GitHub repositories in less than 24 hours. First seen on cyberscoop.com Jump to article: cyberscoop.com/supply-chain-attack-shai-hulud-npm/
-
Shai-Hulud worm returns stronger and more automated than ever before
Self-replicating malware has infected almost 500 open-source packages, exposing more than 26,000 GitHub repositories in less than 24 hours. First seen on cyberscoop.com Jump to article: cyberscoop.com/supply-chain-attack-shai-hulud-npm/
-
Infamous Shai-hulud Worm Resurfaces From the Depths
This campaign introduces a new variant that executes malicious code during preinstall, significantly increasing potential exposure in build and runtime environments, researchers said. First seen on darkreading.com Jump to article: www.darkreading.com/application-security/infamous-shai-hulud-worm-resurfaces-from-depths
-
Shai Hulud npm Worm Impacts 26,000+ Repos in Supply Chain Attack
The Shai Hulud worm’s “Second Coming” has compromised over 26,000 public repositories. We detail the attacker’s mistake, the target packages, and mandatory security tips. First seen on hackread.com Jump to article: hackread.com/shai-hulud-npm-worm-supply-chain-attack/
-
Shai Hulud npm Worm Infects 19,000 Packages in Major Supply Chain Attack
The Shai Hulud worm’s “Second Coming” has compromised over 19,000 public repositories. We detail the attacker’s mistake, the target packages, and mandatory security tips. First seen on hackread.com Jump to article: hackread.com/shai-hulud-npm-worm-supply-chain-attack/
-
Shai-Hulud worm returns, belches secrets to 25K GitHub repos
Trojanized npm packages spread new variant that executes in pre-install phase, hitting thousands within days First seen on theregister.com Jump to article: www.theregister.com/2025/11/24/shai_hulud_npm_worm/
-
WhatsApp ‘Eternidade’ Trojan Self-Propagates Through Brazil
The infostealer specifically targets Brazilian Portuguese speakers and combines malware designed to phish banking credentials and steal data, a worm, and some uniquely Brazilian quirks. First seen on darkreading.com Jump to article: www.darkreading.com/threat-intelligence/whatsapp-eternidade-trojan-self-propagates-brazil
-
IndonesianFoods worm: a massive spam campaign in the npm ecosystem
First seen on scworld.com Jump to article: www.scworld.com/brief/indonesianfoods-worm-uncovering-a-massive-spam-campaign-in-the-npm-ecosystem
-
Spam flooding npm registry with token stealers still isn’t under control
Tags: access, antivirus, attack, authentication, blockchain, breach, control, credentials, crypto, detection, edr, exploit, finance, firewall, governance, identity, login, malicious, malware, mfa, monitoring, network, open-source, pypi, risk, software, spam, supply-chain, threat, tool, wormCSO that number has now grown to 153,000.And while this payload merely steals tokens, other threat actors are paying attention, said Sonatype CTO Brian Fox.When Sonatype wrote about the campaign just over a year ago, it found a mere 15,000 packages that appeared to come from a single person.With the swollen numbers reported this week,…
-
Worm flooding npm registry with token stealers still isn’t under control
Tags: access, antivirus, attack, authentication, blockchain, breach, control, credentials, crypto, detection, edr, exploit, finance, firewall, governance, identity, login, malicious, malware, mfa, monitoring, network, open-source, pypi, risk, software, supply-chain, threat, tool, wormCSO that number has now grown to 153,000.”It’s unfortunate that the worm isn’t under control yet,” said Sonatype CTO Brian Fox.And while this payload merely steals tokens, other threat actors are paying attention, he predicted.”I’m sure somebody out there in the world is looking at this massively replicating worm and wondering if they can ride…
-
New ‘IndonesianFoods’ worm floods npm with 100,000 packages
A self-spreading package published on npm spams the registry by spawning new packages every every seven seconds, creating large volumes of junk. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/new-indonesianfoods-worm-floods-npm-with-100-000-packages/
-
“IndonesianFoods” npm Worm Publishes 44,000 Malicious Packages
A new npm worm dubbed “IndonesianFoods” has doubled the number of known malicious packages First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/indonesianfoods-npm-worm-44000/
-
Hackers Infiltrate npm Registry with 43,000 Spam Packages, Linger for Nearly Two Years
Security researcher Paul McCarty has uncovered a massive coordinated spam campaign targeting the npm ecosystem. The IndonesianFoods worm, comprising over 43,000 malicious packages published across at least 11 user accounts, remained active in the registry for nearly two years before detection. The campaign derives its distinctive name from its unique package naming scheme. The embedded…
-
Over 67,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack
Cybersecurity researchers are calling attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024 as part of a likely financially motivated effort.”The packages were systematically published over an extended period, flooding the npm registry with junk packages that survived in the ecosystem for almost two…
-
Over 46,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack
Cybersecurity researchers are calling attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024 as part of a likely financially motivated effort.”The packages were systematically published over an extended period, flooding the npm registry with junk packages that survived in the ecosystem for almost two…
-
How GlassWorm wormed its way back into developers’ code, and what it says about open source security
Tags: access, ai, attack, blockchain, ciso, control, credentials, crypto, cybersecurity, data, data-breach, endpoint, exploit, framework, github, google, infrastructure, law, malicious, malware, marketplace, monitoring, open-source, resilience, service, software, supply-chain, threat, tool, update, wormadhamu.history-in-sublime-merge (downloaded 4,000 times)ai-driven-dev.ai-driven-dev (downloaded 3,300 times)yasuyuky.transient-emacs (downloaded 2,400 times)All three GlassWorm extensions are “still literally invisible” in code editors, the researchers note. They are encoded in unprintable Unicode characters that look like blank space to the human eye, but execute as JavaScript.The attackers have posted new transactions to the Solana blockchain that outline updated…
-
How GlassWorm wormed its way back into developers’ code, and what it says about open source security
Tags: access, ai, attack, blockchain, ciso, control, credentials, crypto, cybersecurity, data, data-breach, endpoint, exploit, framework, github, google, infrastructure, law, malicious, malware, marketplace, monitoring, open-source, resilience, service, software, supply-chain, threat, tool, update, wormadhamu.history-in-sublime-merge (downloaded 4,000 times)ai-driven-dev.ai-driven-dev (downloaded 3,300 times)yasuyuky.transient-emacs (downloaded 2,400 times)All three GlassWorm extensions are “still literally invisible” in code editors, the researchers note. They are encoded in unprintable Unicode characters that look like blank space to the human eye, but execute as JavaScript.The attackers have posted new transactions to the Solana blockchain that outline updated…
-
Data sovereignty proof: How to verify controls like ‘Project Texas’
“Verification regimes work best when they serve everyone’s interests. The reporting company wants a process that does not impose too many burdens or interrupt workflow while allowing it to demonstrate compliance. Oversight bodies want hard data that is difficult to fake and indicates adherence to the regime. Finally, these systems need to be simple enough…
-
Data sovereignty proof: How to verify controls like ‘Project Texas’
“Verification regimes work best when they serve everyone’s interests. The reporting company wants a process that does not impose too many burdens or interrupt workflow while allowing it to demonstrate compliance. Oversight bodies want hard data that is difficult to fake and indicates adherence to the regime. Finally, these systems need to be simple enough…
-
Self-Spreading ‘GlassWorm’ Infects VS Code Extensions in Widespread Supply Chain Attack
Cybersecurity researchers have discovered a self-propagating worm that spreads via Visual Studio Code (VS Code) extensions on the Open VSX Registry and the Microsoft Extension Marketplace, underscoring how developers have become a prime target for attacks.The sophisticated threat, codenamed GlassWorm by Koi Security, is the second such supply chain attack to hit the DevOps space…
-
Self-Spreading ‘GlassWorm’ Infects VS Code Extensions in Widespread Supply Chain Attack
Cybersecurity researchers have discovered a self-propagating worm that spreads via Visual Studio Code (VS Code) extensions on the Open VSX Registry and the Microsoft Extension Marketplace, underscoring how developers have become a prime target for attacks.The sophisticated threat, codenamed GlassWorm by Koi Security, is the second such supply chain attack to hit the DevOps space…
-
Self-propagating worm found in marketplaces for Visual Studio Code extensions
Tags: access, application-security, attack, backdoor, backup, best-practice, blockchain, breach, ciso, control, credentials, crime, crypto, cyber, data, data-breach, endpoint, framework, github, gitlab, google, government, identity, incident response, infrastructure, intelligence, least-privilege, login, malicious, malware, marketplace, network, open-source, resilience, risk, sans, security-incident, software, supply-chain, threat, tool, update, wormMarketplaces targeted: The Koi Security report is the latest in a series of warnings that threat actors are increasingly targeting VS Code marketplaces in supply chain attacks. Last week, Koi Security exposed a threat actor dubbed TigerJack spreading malicious extensions. And researchers at Wiz just published research showing the widespread abuse of the OpenVSX and…
-
New GlassWorm Threat Uses Stealthy Code to Target OpenVSX Extensions
GlassWorm is the world’s first self-propagating worm targeting VS Code extensions in the OpenVSX marketplace, unleashing invisible malicious payloads and decentralized command infrastructure that make it nearly impossible to detect or dismantle. First identified on October 17, 2025, GlassWorm hijacks developer machines via invisible Unicode code, harvests credentials, drains cryptocurrency wallets, and transforms infected systems…