Cybersecurity Firm Warns of Shai-Hulud 3.0 Threatening the NPM Ecosystem

By: crypto insight|2025/12/29 15:00:24

Key Takeaways

SlowMist’s CISO has issued a warning about Shai-Hulud 3.0, a significant threat targeting the NPM ecosystem designed to steal cloud keys and credentials.
Shai-Hulud malware has evolved through several versions, each more sophisticated, with the latest including self-healing capabilities.
The attack strategy of this worm involves automated processes that exploit developer accounts, inserting malicious code into widely used NPM packages.
The recent threat emphasizes the importance of robust cybersecurity measures, especially in software supply chains, to defend against such attacks.

WEEX Crypto News, 29 December 2025

Shai-Hulud 3.0: A New Wave of Supply Chain Attacks

The NPM ecosystem, popular among developers for managing JavaScript packages, stands on alert as a new variant of the Shai-Hulud worm has emerged. Known for its pernicious capability to infiltrate software supply chains, this latest variant, Shai-Hulud 3.0, represents a formidable threat aimed at compromising security infrastructure through advanced tactics.

Evolution of Shai-Hulud: From Silent Theft to Advanced Automation

The Shai-Hulud worm first appeared in the cybersecurity landscape as a stealthy threat, adept at credential theft. As its versions progressed, Shai-Hulud 2.0 introduced functionalities such as self-healing and destructive capabilities that could erase entire directories in compromised systems. Now, Shai-Hulud 3.0 emerges with augmented tactics, exploiting the same developer environments but with a broader and more automated reach.

This newest iteration does more than simply infiltrate; it strategically deploys itself within user environments to steal critical cloud-based credentials and API keys. These actions turn infected platforms into launch pads for further attacks, escalating its capacity to disrupt and damage.

The Mechanics of the Attack

The intricacy of Shai-Hulud’s design lies in its ability to propagate automatically and indiscriminately across repositories. Unlike initial forms of package infiltration that required the manual addition of harmful code, version 3.0 uses compromised developer credentials to automate the infection process. This method not only plants malicious packages but also allows the worm to hide within legitimate lines of code, making detection and neutralization particularly challenging.

Among the documented attacks is a phishing campaign targeting NPM package maintainers, serving as an entry point for Shai-Hulud 3.0 to introduce its payloads. Such phishing scams often masquerade as security alerts from trusted sources like NPM itself, tricking developers into willingly revealing sensitive credentials.

The Implications for Developers and Organizations

For organizations and developers, the implications of Shai-Hulud 3.0 are profound. The worm’s capacity to compromise entire build systems underscores the vulnerabilities inherent in development ecosystems. It’s a stark reminder of the necessity for rigorous supply chain security practices. More than ever, developer teams must remain vigilant, employing robust security measures such as software composition analysis (SCA) and constant monitoring of package integrity.

Furthermore, the Shai-Hulud saga is a clarion call for improved cybersecurity education and preparedness among developers, who are often the first line of defense against such threats.

Steps Forward: Enhancing Security Posture

To counteract such advanced threats, industry experts advocate for a multipronged approach:

Enhanced Vigilance: Continual monitoring of NPM packages and immediate action upon detection of suspicious activities.
Security Training: Regular training and awareness programs for developers to recognize and respond to phishing attempts.
Automated Security Tools: Implementation of proactive security tools that can automate the scanning of code for vulnerabilities and malicious patterns.
Incident Response Planning: Establishing robust incident response strategies that allow organizations to react promptly to breaches, minimizing damage.
Collaboration and Information Sharing: Heightening collaboration across the development community to share threat intelligence and mitigation strategies.

The WEEX Advantage

In light of these developments, platforms like WEEX offer valuable tools to safeguard against such threats. By providing advanced security features and seamless integration capabilities, WEEX ensures that developers and organizations can maintain a high level of defense against supply chain vulnerabilities. For those interested in enhancing their security posture, consider joining the WEEX community [here](https://www.weex.com/register?vipCode=vrmi).

FAQs

What is Shai-Hulud 3.0?

Shai-Hulud 3.0 is the latest version of a sophisticated malware worm designed to target supply chain systems within the NPM ecosystem, specifically aiming to steal cloud credentials and integrate malicious elements into legitimate packages.

How does Shai-Hulud 3.0 differ from previous versions?

Version 3.0 builds on previous iterations by automating the infection process across developer environments, making it harder to detect and more powerful in its potential to disrupt.

How can developers protect their projects against such threats?

Developers can protect their projects by implementing stringent security protocols, utilizing automated scanning tools, educating themselves on phishing tactics, and performing frequent checks of their codebase for integrity.

Why is the NPM ecosystem a frequent target for such attacks?

The NPM ecosystem is a target due to its widespread usage and central role in modern web development applications, which makes it a lucrative and impactful entry point for attackers.

What measures has WEEX taken to ensure security against such threats?

WEEX incorporates advanced security protocols and integration features, ensuring robust protection against a spectrum of supply chain threats, thus enabling developers to safeguard their applications proactively.

-- Price

On March 16, 2026, in Dallas, Texas, USA, CanGu Company (New York Stock Exchange code: CANG, hereinafter referred to as "CanGu" or the "Company") today announced its unaudited financial performance for the fourth quarter and full year ended December 31, 2025. As a btc-42">bitcoin mining enterprise relying on a globally operated layout and dedicated to building an integrated energy and AI computing power platform, CanGu is actively advancing its business transformation and infrastructure development.

2025 Full Year and Fourth Quarter Financial and Operational Highlights

• Financial Performance:

Total revenue for the full year 2025 was $688.1 million, with $179.5 million in the fourth quarter.

Bitcoin mining business revenue for the full year was $675.5 million, with $172.4 million in the fourth quarter.

Full-year adjusted EBITDA was $24.5 million, while the fourth quarter was -$156.3 million.

• Mining Operations and Costs:

A total of 6,594.6 bitcoins were mined throughout the year, averaging 18.07 bitcoins per day; of which 1,718.3 bitcoins were mined in the fourth quarter, averaging 18.68 bitcoins per day.

The average mining cost for the full year (excluding miner depreciation) was $79,707 per bitcoin, and for the fourth quarter, it was $84,552;

The all-in sustaining costs were $97,272 and $106,251 per bitcoin, respectively.

As of the end of December 2025, the company has cumulatively produced 7,528.4 bitcoins since entering the bitcoin mining business.

• Strategic Progress:

The company has completed the termination of the American Depositary Receipt (ADR) program and transitioned to a direct listing on the NYSE to enhance information transparency and align with its strategic direction, with a long-term goal of expanding its investor base.

CEO Paul Yu stated: "2025 marked the company's first full year as a bitcoin mining enterprise, characterized by rapid execution and structural reshaping. We completed a comprehensive adjustment of our asset system and established a globally distributed mining network. Additionally, the company introduced a new management team, further strengthening our capabilities and competitive advantage in the digital asset and energy infrastructure space. The completion of the NYSE direct listing and USD pricing also signifies our transformation into a global AI infrastructure company."

"As we enter 2026, the company will continue to optimize its balance sheet structure and enhance operational efficiency and cost resilience through adjustments to the miner portfolio. At the same time, we are advancing our strategic transformation into an AI infrastructure provider. Leveraging EcoHash, we will utilize our capabilities in scalable computing power and energy networks to provide cost-effective AI inference solutions. The relevant site transformations and product development are progressing simultaneously, and the company is well-positioned to sustain its execution in the new phase."

The company's Chief Financial Officer, Michael Zhang, stated: "By 2025, the company is expected to achieve significant revenue growth through its scaled mining operations. Despite recording a net loss of $452.8 million from ongoing operations, mainly due to one-time transformation costs and market-driven fair value adjustments, the company, from a financial perspective, will reduce its leverage, optimize its Bitcoin reserve strategy and liquidity management, introduce new capital to strengthen its financial position, and seize investment opportunities in high-potential areas such as AI infrastructure while navigating market volatility."

Fourth Quarter 2025 Ongoing Operations Financial Performance

Revenue

The total revenue for the fourth quarter was $1.795 billion. Of this, the Bitcoin mining business contributed $1.724 billion in revenue, generating 1,718.3 Bitcoins during the quarter. Revenue from the international automobile trading business was $4.8 million.

Operating Costs and Expenses

The total operating costs and expenses for the fourth quarter amounted to $4.56 billion, primarily attributed to expenses related to the Bitcoin mining business, as well as impairment of mining machines and fair value losses on Bitcoin collateral receivables.

This includes:

· Cost of Revenue (excluding depreciation): $1.553 billion

· Cost of Revenue (depreciation): $38.1 million

· Operating Expenses: $9.9 million (including related-party expenses of $1.1 million)

· Mining Machine Impairment Loss: $81.4 million

· Fair Value Loss on Bitcoin Collateral Receivables: $171.4 million

Profit Situation

The operating loss for the fourth quarter was $276.6 million, a significant increase from a loss of $0.7 million in the same period of 2024, primarily due to the downward trend in Bitcoin prices.

The net loss from ongoing operations was $285 million, compared to a net profit of $2.4 million in the same period last year.

The adjusted EBITDA was -$156.3 million, compared to $2.4 million in the same period last year.

Full Year 2025 Ongoing Operations Financial Performance

Revenue

The total revenue for the full year was $6.881 billion. Of this, the revenue from the Bitcoin mining business was $6.755 billion, with a total output of 6,594.6 Bitcoins for the year. Revenue from the international automobile trading business was $9.8 million.

Operating Costs and Expenses

The total annual operating costs and expenses amount to $1.1 billion.

Specifically, they include:

· Revenue Cost (excluding depreciation): $543.3 million

· Revenue Cost (depreciation): $116.6 million

· Operating Expenses: $28.9 million (including related-party expenses of $1.1 million)

· Miner Impairment Loss: $338.3 million

· Bitcoin Collateral Receivable Fair Value Change Loss: $96.5 million

Profitability

The full-year operating loss is $437.1 million. The continuing operations net loss is $452.8 million, while in 2024, there was a net profit of $4.8 million.

The 2025 non-GAAP adjusted net profit is $24.5 million (compared to $5.7 million in 2024). This measure does not include share-based compensation expenses; refer to "Use of Non-GAAP Financial Measures" for details.

Financial Position

As of December 31, 2025, the company's key assets and liabilities are as follows:

· Cash and Cash Equivalents: $41.2 million

· Bitcoin Collateral Receivable (Non-current, related party): $663.0 million

· Miner Net Value: $248.7 million

· Long-Term Debt (related party): $557.6 million

In February 2026, the company sold 4,451 bitcoins and repaid a portion of related-party long-term debt to reduce financial leverage and optimize the asset-liability structure.

Stock Repurchase

As per the stock repurchase plan disclosed on March 13, 2025, as of December 31, 2025, the company had repurchased a total of 890,155 shares of Class A common stock for approximately $1.2 million.

The US AI Startup Is Loving China's Open Source Model

80% of US AI Startups Are Using Chinese Open Source Models

Three Weeks of the US-Iran War: Who's Making Money, Who's Paying the Bill?

Global Losing 10 Million Barrels of Oil Each Day, Russia Earns Over $800 Million in Just Over Two Weeks