ChainCatcher reports that 23pds, Chief Information Security Officer of SlowMist Technology, issued a security alert that a new variant of the NPM supply chain attack, "Shai-Hulud 3," has struck again. Projects and platforms are urged to take precautions. Previously, it was suspected that the Trust Wallet API key leak may have been caused by the Shai-Hulud 2 attack.
Shai-Hulud is a series of self-propagating worm-like supply chain attacks targeting the NPM ecosystem to steal developer credentials, cloud keys, and environment secrets. The latest variant (known in the community as Shai-Hulud 3 or the new strain) was discovered by Aikido Security researcher Charlie Eriksen on December 28, 2025. Currently, its spread is limited and it may only be in the testing phase.
