Shai Hulud npm Worm Infects 19,000 Packages in Major Supply Chain Attack

The Shai Hulud worm’s “Second Coming” has compromised over 19,000 public repositories. We detail the attacker’s mistake, the target packages, and mandatory security tips.

The Shai Hulud npm worm has re-emerged, launching an aggressive new attack on the software development world. This worm, which Hackread.com first reported in September 2025, returned this Monday, November 24, 2025, striking with dramatically increased intensity. This timing is notable as it occurs just before npm’s December 9 deadline to revoke old classic access tokens.

In September, the Shai Hulud attack compromised about 180 software libraries (repositories). However, security researcher Charlie Eriksen from Aikido Security detected the new wave early this morning (5:10 AM CET), seeing infected code projects skyrocket to over 19,000 in just a few hours. This represents a hundred-fold increase over the previous campaign.

Compromised Tools and Faster Attacks

The attack began with packages like ...