CERT-In warns startups and IT firms about ‘Shai-Hulud,’ a Dune-inspired new malware

India’s cybersecurity nodal agency, the Indian Computer Emergency Response Team (CERT-In), has flagged a new malware called Shai Hulud that is targeting the node package manager (npm) ecosystem—the world’s largest collection of open-source software building blocks used by developers to create apps, websites, and digital services.

What is Shai-Hulud?

Unlike the giant sandworms in the Frank Herbert-written sci-fi series, Shai Hulud, this malware worm poses a great risk for startups, IT companies and others.

Attackers have injected this worm-like malware into npm packages, allowing it to spread automatically across projects.

According to CERT-In, it began with phishing emails spoofing npm and tricking developers into revealing their login details.

It warns that once inside, the attackers deploy malware that harvests sensitive credentials and pushes malicious versions of packages back into the npm registry.

As stated by CERT-In, the malware has already compromised more than 500 npm packages and is spreading across developer networks.

"This attack has the potential to impact start-ups, IT/ITES companies, fintech platforms and e-Governance applications that rely on npm-based software resulting in exposure of credentials, unauthorised code execution and further supply chain compromise," CERT-In warned.

How can users protect their projects from Shai-Hulud?

CERT-In advises that anyone building with npm, especially startups, fintechs, or e-Governance teams, should keep an eye out for credential theft and unauthorised code running in their projects.

As reported by MoneyControl, CERT-In has called for immediate action from developer teams and organisations:

• Audit dependencies: Review all software relying on npm, checking package-lock.json or yarn.lock files for affected packages.

• Rotate credentials: Change all developer credentials, including npm, GitHub and cloud service keys.

• Mandate phishing-resistant MFA: Enforce hardware token–based or other phishing-resistant MFA across GitHub and npm accounts.

• Harden GitHub security: Remove unnecessary GitHub Apps, OAuth tokens, and webhooks; enable branch protection and secret scanning.

• Block malicious activity: Monitor firewalls for suspicious domains and block outbound connections to webhook.site.

• Look for compromise signs: Check organisational GitHub accounts for suspicious commits, references to “Shai-Hulud,” or unauthorised workflows.

Also read: ‘It was phenomenal that 15 IITians helped build Microsoft,’ Bill Gates’ old video goes viral amid H-1B visa fee hike (startuppedia.in)