TL;DR

A third generation of the Shai-Hulud worm ("Shai-Hulud 3.0" / Snyk's "Holiday Whisper") landed on npm on 2025-12-28 as a single low-profile package — @vietmoney/react-big-calendar@0.26.2 — with much heavier obfuscation and reliability improvements but the same install-time credential-theft + self-propagation goals as v1/v2. Aikido characterized it as attackers testing their payload — and indeed, ~4 months later the same TTPs returned at scale as the TeamPCP Mini Shai-Hulud wave. Low download count; remove the package, but treat this primarily as the test bench that produced the April–May 2026 worm cluster.

What happened

@vietmoney/react-big-calendar had sat dormant on npm since March 2021. On 2025-12-28, the publisher account pushed version 0.26.2 — its first update in nearly five years — carrying a modified Shai-Hulud variant. Per Aikido and Snyk, the changes versus the original Shai-Hulud / Second Coming were primarily:

  • Heavier obfuscation of the install-time payload (string mangling, dynamic require, indirection layers) to evade static-scan engines that caught v1/v2.
  • Reliability improvements on the credential-collection logic and the GitHub-repo creation step that exfiltrates harvested secrets to attacker-controlled public repos.
  • Unchanged core: still relies on install-time execution (npm lifecycle hooks) to scrape env vars, cloud creds, CI/CD secrets, GitHub/npm tokens, and SSH keys, then leak to attacker-owned GitHub repos.

The package had low downloads / no major spread at the time of detection (Aikido: "we may have caught the attackers testing their payload"). The wider context: this Dec 2025 drop is now read as a TeamPCP-attributable rehearsal for the campaigns that followed — the SAP / Mini Shai-Hulud arm, PyTorch Lightning + intercom-client, the Bitwarden CLI "Third Coming", the TanStack / Mini Shai-Hulud wave, the May 19 @antv + Microsoft durabletask wave, and finally the source-leak copycats after TeamPCP open-sourced the worm on 2026-05-12.

Naming note: this variant is referred to as "Shai-Hulud 3.0" (Upwind, OX, Mondoo, Snyk) or "Holiday Whisper" (Snyk). The "3.0" label puts it in the worm-lineage: - v1 = original 2025-09 worm (~200 packages including @ctrl/tinycolor) - v2 = Second Coming 2025-11 (492 packages, 132M monthly downloads) - v3 = this Dec 2025 test-payload drop, then evolved into Mini Shai-Hulud at scale through Q2 2026

Am I affected?

# Did the test package land in your tree?
npm ls @vietmoney/react-big-calendar --all 2>/dev/null

# Grep lockfiles directly (catches transitive)
grep -REn "@vietmoney/react-big-calendar" \
  package-lock.json npm-shrinkwrap.json yarn.lock pnpm-lock.yaml 2>/dev/null

# The worm marker: was a public Shai-Hulud-style exfil repo created on your GitHub account?
gh api /user/repos --paginate \
  --jq '.[] | select(.name | test("Sha[i1]-Hulud|shaihulud"; "i")) | .full_name' 2>/dev/null

If any hit, treat as full credential compromise: rotate everything reachable from the affected machine, delete the planted GitHub repo, and search GitHub for any other repos containing your secrets.

If you are affected

playbooks/if-you-installed-a-bad-npm-package.mdplaybooks/if-your-github-pat-leaked.mdplaybooks/if-your-npm-token-leaked.mdplaybooks/rotating-cloud-credentials.md

Prevention

prevention/npm-hardening.md — disable install scripts, pin versions → prevention/credential-hygiene.md

Sources