Shai-Hulud 3.0: New Malware Signals Evolving Supply Chain Threats

Du'aine Davis · 2026-01-08T17:03:57+00:00

Observed in the wild * On 29 December, a security researcher discovered a new variant of the Shai-Hulud malware, dubbed “The Golden Path” (v3.0), embedded in the @vietmoney /react-big-calendar npm package (v0.26.2). This appears to be a technical evolution rather than a copycat, with reports limited to a single package,…

Du'aine Davis

Observed in the wild

On 29 December, a security researcher discovered a new variant of the Shai-Hulud malware, dubbed “The Golden Path” (v3.0), embedded in the @vietmoney /react-big-calendar npm package (v0.26.2). This appears to be a technical evolution rather than a copycat, with reports limited to a single package, suggesting a testing phase during the holiday period when response times are slower.
The malware was introduced via npm supply chain compromise, leveraging postinstall scripts and refined obfuscation techniques to bypass detection. The updated logic is more resilient and cross-platform compatible, indicating continued sophistication by threat actors exploiting seasonal operational gaps.
Organisations should enforce npm security best practices, including setting ignore-scripts=true in .npmrc, using session-based authentication and CLI token management, and running npm ci or pnpm with --ignore-scripts. Microsoft Defender users should monitor for unexpected script execution during package installation and apply behavioural detection for anomalous CLI activity.chains.

Shai Hulud strikes again - The golden path

The Holiday Whisper: Shai-Hulud 3.0 | Snyk

Find more posts tagged with

Threat Landscape

Sign in to participate and unlock exclusive content 🔓

It looks like you're new here! Sign in or register to be able to comment, access member-only content and follow the spaces relevant to you.

Comments

There are no comments yet