Return of the “Shai-Hulud” Worm

Veracode is aware of and responding to on ongoing spam campaign that appears to be a reemergence of the “Shai-Hulud” worm we recently reported on. This time the malicious file is bun_environment.js. Our team are busy working on identifying and blocking this malware as it emerges. So far several NPM accounts appear to have been compromised e.g. @asyncapi and @posthog to name a few.

Veracode Customers Remain Protected

Veracode customers using Package Firewall are shielded from these threats, with the Package Firewall preventing both server- and browser-targeted malware from reaching the SDLC. Customers can also use Software Composition Analysis (SCA) to detect the usage of these malicious packages.

Veracode’s Supply Chain offerings are designed to protect our customers from these types of attacks with:

Proactive Threat Monitoring: The Veracode Threat Research Team continuously tracks open-source activity. Automated detection and expert analysis quickly identify anomalous publishing behavior, code obfuscation, and indicators of malware.

Immediate Blocking: Once a package is confirmed to be malicious, it is programmatically blocklisted. Veracode Package Firewall prevents vulnerable or compromised packages including those from the chalk, debug, and DuckDB campaigns from being installed in customer environments.

Policy Enforcement: Customers maintain strict controls over allowable packages. Policies enforced by Veracode automatically block introductions of newly compromised packages and prevent execution of malicious scripts.

Expert Guidance: The team continuously issues updates and actionable recommendations to help organizations respond quickly and confidently when new supply chain threats emerge.

NPM Attacks Conclusion: Stay Ahead of Advanced Threats

These recent npm attacks are a wakeup call: supply chain risks are increasing in scale and complexity. Attackers now target not only servers, but also browsers and end users, through high-trust dependencies. Standard reactive security is no longer sufficient.

Veracode empowers you to adopt a proactive, defense-ready stance, protecting your developers, your users, and your business from the next wave of sophisticated supply chain attacks.

Reach out to learn more.

All Known Affected Packages

Here is a list we will update containing the packages known to be affected by this malware as of November 24, 2025 (and it will continue to be updated moving forward):

“@accordproject/concerto-analysis/3.24.1”

“@accordproject/concerto-linter-default-ruleset/3.24.1”

“@accordproject/concerto-linter/3.24.1”

“@accordproject/concerto-metamodel/3.12.5”

“@accordproject/concerto-types/3.24.1”

“@accordproject/markdown-it-cicero/0.16.26”

“@accordproject/template-engine/2.7.2”

“@actbase/css-to-react-native-transform/1.0.3”

“@actbase/native/0.1.32”

“@actbase/node-server/1.1.19”

“@actbase/react-absolute/0.8.3”

“@actbase/react-daum-postcode/1.0.5”

“@actbase/react-kakaosdk/0.9.27”

“@actbase/react-native-actionsheet/1.0.3”

“@actbase/react-native-devtools/0.1.3”

“@actbase/react-native-fast-image/8.5.13”

“@actbase/react-native-kakao-channel/1.0.2”

“@actbase/react-native-kakao-navi/2.0.4”

“@actbase/react-native-less-transformer/1.0.6”

“@actbase/react-native-naver-login/1.0.1”

“@actbase/react-native-simple-video/1.0.13”

“@actbase/react-native-tiktok/1.1.3”

“@alaan/s2s-auth/2.0.3”

“@alexcolls/nuxt-socket.io/0.0.7”

“@alexcolls/nuxt-ux/0.6.1”

“@antstackio/eslint-config-antstack/0.0.3”

“@antstackio/express-graphql-proxy/0.2.8”

“@antstackio/graphql-body-parser/0.1.1”

“@antstackio/json-to-graphql/1.0.3”

“@antstackio/shelbysam/1.1.7”

“@aryanhussain/my-angular-lib/0.0.23”

“@asyncapi/avro-schema-parser/3.0.25”

“@asyncapi/bundler/0.6.6”

“@asyncapi/converter/1.6.4”

“@asyncapi/diff/0.5.2”

“@asyncapi/dotnet-rabbitmq-template/1.0.2”

“@asyncapi/edavisualiser/1.2.2”

“@asyncapi/generator-components/0.3.2”

“@asyncapi/generator-components/0.3.3”

“@asyncapi/generator-helpers/0.2.1”

“@asyncapi/generator-helpers/0.2.2”

“@asyncapi/generator-react-sdk/1.1.4”

“@asyncapi/generator-react-sdk/1.1.5”

“@asyncapi/generator/2.8.5”

“@asyncapi/generator/2.8.6”

“@asyncapi/go-watermill-template/0.2.76”

“@asyncapi/go-watermill-template/0.2.77”

“@asyncapi/html-template/3.3.2”

“@asyncapi/html-template/3.3.3”

“@asyncapi/java-spring-cloud-stream-template/0.13.5”

“@asyncapi/java-spring-cloud-stream-template/0.13.6”

“@asyncapi/java-spring-template/1.6.1”

“@asyncapi/java-spring-template/1.6.2”

“@asyncapi/java-template/0.3.5”

“@asyncapi/java-template/0.3.6”

“@asyncapi/keeper/0.0.2”

“@asyncapi/keeper/0.0.3”

“@asyncapi/markdown-template/1.6.8”

“@asyncapi/markdown-template/1.6.9”

“@asyncapi/modelina-cli/5.10.2”

“@asyncapi/modelina-cli/5.10.3”

“@asyncapi/modelina/5.10.2”

“@asyncapi/modelina/5.10.3”

“@asyncapi/multi-parser/2.2.1”

“@asyncapi/multi-parser/2.2.2”

“@asyncapi/nodejs-template/3.0.5”

“@asyncapi/nodejs-template/3.0.6”

“@asyncapi/nodejs-ws-template/0.10.1”

“@asyncapi/nodejs-ws-template/0.10.2”

“@asyncapi/nunjucks-filters/2.1.1”

“@asyncapi/nunjucks-filters/2.1.2”

“@asyncapi/openapi-schema-parser/3.0.25”

“@asyncapi/optimizer/1.0.5”

“@asyncapi/optimizer/1.0.6”

“@asyncapi/parser/3.4.1”

“@asyncapi/parser/3.4.2”

“@asyncapi/php-template/0.1.1”

“@asyncapi/php-template/0.1.2”

“@asyncapi/problem/1.0.1”

“@asyncapi/problem/1.0.2”

“@asyncapi/protobuf-schema-parser/3.5.2”

“@asyncapi/protobuf-schema-parser/3.5.3”

“@asyncapi/protobuf-schema-parser/3.6.1”

“@asyncapi/python-paho-template/0.2.14”

“@asyncapi/python-paho-template/0.2.15”

“@asyncapi/react-component/2.6.6”

“@asyncapi/react-component/2.6.7”

“@asyncapi/server-api/0.16.24”

“@asyncapi/server-api/0.16.25”

“@asyncapi/specs/6.10.1”

“@asyncapi/specs/6.8.2”

“@asyncapi/specs/6.8.3”

“@asyncapi/specs/6.9.1”

“@asyncapi/studio/1.0.2”

“@asyncapi/studio/1.0.3”

“@asyncapi/web-component/2.6.6”

“@asyncapi/web-component/2.6.7”

“@browserbasehq/mcp-server-browserbase/2.4.2”

“@caretive/caret-cli/0.0.2”

“@clausehq/flows-step-httprequest/0.1.14”

“@clausehq/flows-step-jsontoxml/0.1.14”

“@clausehq/flows-step-mqtt/0.1.14”

“@clausehq/flows-step-sendgridemail/0.1.14”

“@clausehq/flows-step-taskscreateurl/0.1.14”

“@commute/bloom/1.0.3”

“@commute/market-data-chartjs/2.3.1”

“@commute/market-data/1.0.2”

“@dev-blinq/ai-qa-logic/1.0.19”

“@dev-blinq/blinqioclient/1.0.21”

“@dev-blinq/cucumber_client/1.0.738”

“@dev-blinq/cucumber-js/1.0.131”

“@dev-blinq/ui-systems/1.0.93”

“@ensdomains/address-encoder/1.1.5”

“@ensdomains/blacklist/1.0.1”

“@ensdomains/buffer/0.1.2”

“@ensdomains/ccip-read-cf-worker/0.0.4”

“@ensdomains/ccip-read-dns-gateway/0.1.1”

“@ensdomains/ccip-read-router/0.0.7”

“@ensdomains/ccip-read-worker-viem/0.0.4”

“@ensdomains/content-hash/3.0.1”

“@ensdomains/curvearithmetics/1.0.1”

“@ensdomains/cypress-metamask/1.2.1”

“@ensdomains/dnsprovejs/0.5.3”

“@ensdomains/dnssec-oracle-anchors/0.0.2”

“@ensdomains/dnssecoraclejs/0.2.9”

“@ensdomains/durin-middleware/0.0.2”

“@ensdomains/durin/0.1.2”

“@ensdomains/ens-archived-contracts/0.0.3”

“@ensdomains/ens-avatar/1.0.4”

“@ensdomains/ens-contracts/1.6.1”

“@ensdomains/ens-test-env/1.0.2”

“@ensdomains/ens-validation/0.1.1”

“@ensdomains/ensjs-react/0.0.5”

“@ensdomains/ensjs/4.0.3”

“@ensdomains/eth-ens-namehash/2.0.16”

“@ensdomains/hackathon-registrar/1.0.5”

“@ensdomains/hardhat-chai-matchers-viem/0.1.15”

“@ensdomains/hardhat-toolbox-viem-extended/0.0.6”

“@ensdomains/mock/2.1.52”

“@ensdomains/name-wrapper/1.0.1”

“@ensdomains/offchain-resolver-contracts/0.2.2”

“@ensdomains/op-resolver-contracts/0.0.2”

“@ensdomains/react-ens-address/0.0.32”

“@ensdomains/renewal-widget/0.1.10”

“@ensdomains/renewal/0.0.13”

“@ensdomains/reverse-records/1.0.1”

“@ensdomains/server-analytics/0.0.2”

“@ensdomains/solsha1/0.0.4”

“@ensdomains/subdomain-registrar/0.2.4”

“@ensdomains/test-utils/1.3.1”

“@ensdomains/thorin/0.6.51”

“@ensdomains/ui/3.4.6”

“@ensdomains/unicode-confusables/0.1.1”

“@ensdomains/unruggable-gateways/0.0.3”

“@ensdomains/vite-plugin-i18next-loader/4.0.4”

“@ensdomains/web3modal/1.10.2”

“@everreal/react-charts/2.0.1”

“@everreal/react-charts/2.0.2”

“@everreal/validate-esmoduleinterop-imports/1.4.4”

“@everreal/validate-esmoduleinterop-imports/1.4.5”

“@everreal/web-analytics/0.0.1”

“@everreal/web-analytics/0.0.2”

“@faq-component/core/0.0.4”

“@faq-component/react/1.0.1”

“@fishingbooker/browser-sync-plugin/1.0.5”

“@fishingbooker/react-loader/1.0.7”

“@fishingbooker/react-pagination/2.0.6”

“@fishingbooker/react-raty/2.0.1”

“@fishingbooker/react-swiper/0.1.5”

“@hapheus/n8n-nodes-pgp/1.5.1”

“@hover-design/core/0.0.1”

“@hover-design/react/0.2.1”

“@ifelsedeveloper/protocol-contracts-svm-idl/0.1.2”

“@ifings/design-system/4.9.2”

“@ifings/metatron3/0.1.5”

“@kvytech/cli/0.0.7”

“@kvytech/components/0.0.2”

“@kvytech/habbit-e2e-test/0.0.2”

“@kvytech/medusa-plugin-announcement/0.0.8”

“@kvytech/medusa-plugin-management/0.0.5”

“@kvytech/medusa-plugin-newsletter/0.0.5”

“@kvytech/medusa-plugin-product-reviews/0.0.9”

“@kvytech/medusa-plugin-promotion/0.0.2”

“@kvytech/web/0.0.2”

“@lessondesk/api-client/9.12.2”

“@lessondesk/api-client/9.12.3”

“@lessondesk/babel-preset/1.0.1”

“@lessondesk/electron-group-api-client/1.0.3”

“@lessondesk/eslint-config/1.4.2”

“@lessondesk/material-icons/1.0.3”

“@lessondesk/react-table-context/2.0.4”

“@lessondesk/schoolbus/5.2.2”

“@lessondesk/schoolbus/5.2.3”

“@louisle2/core/1.0.1”

“@louisle2/cortex-js/0.1.6”

“@lpdjs/firestore-repo-service/1.0.1”

“@markvivanco/app-version-checker/1.0.1”

“@markvivanco/app-version-checker/1.0.2”

“@mcp-use/cli/2.2.6”

“@mcp-use/cli/2.2.7”

“@mcp-use/inspector/0.6.2”

“@mcp-use/inspector/0.6.3”

“@mcp-use/mcp-use/1.0.1”

“@mcp-use/mcp-use/1.0.2”

“@mparpaillon/connector-parse/1.0.1”

“@mparpaillon/imagesloaded/4.1.2”

“@mparpaillon/page/1.0.1”

“@orbitgtbelgium/mapbox-gl-draw-cut-polygon-mode/2.0.5”

“@orbitgtbelgium/mapbox-gl-draw-scale-rotate-mode/1.1.1”

“@orbitgtbelgium/orbit-components/1.2.9”

“@orbitgtbelgium/time-slider/1.0.187”

“@osmanekrem/bmad/1.0.6”

“@osmanekrem/error-handler/1.2.2”

“@posthog/agent/1.24.1”

“@posthog/ai/7.1.2”

“@posthog/automatic-cohorts-plugin/0.0.8”

“@posthog/bitbucket-release-tracker/0.0.8”

“@posthog/cli/0.5.15”

“@posthog/clickhouse/1.7.1”

“@posthog/core/1.5.6”

“@posthog/currency-normalization-plugin/0.0.8”

“@posthog/customerio-plugin/0.0.8”

“@posthog/databricks-plugin/0.0.8”

“@posthog/drop-events-on-property-plugin/0.0.8”

“@posthog/event-sequence-timer-plugin/0.0.8”

“@posthog/filter-out-plugin/0.0.8”

“@posthog/first-time-event-tracker/0.0.8”

“@posthog/geoip-plugin/0.0.8”

“@posthog/github-release-tracking-plugin/0.0.8”

“@posthog/gitub-star-sync-plugin/0.0.8”

“@posthog/heartbeat-plugin/0.0.8”

“@posthog/hedgehog-mode/0.0.42”

“@posthog/icons/0.36.1”

“@posthog/ingestion-alert-plugin/0.0.8”

“@posthog/intercom-plugin/0.0.8”

“@posthog/kinesis-plugin/0.0.8”

“@posthog/laudspeaker-plugin/0.0.8”

“@posthog/lemon-ui/0.0.1”

“@posthog/maxmind-plugin/0.1.6”

“@posthog/migrator3000-plugin/0.0.8”

“@posthog/netdata-event-processing/0.0.8”

“@posthog/nextjs-config/1.5.1”

“@posthog/nextjs/0.0.3”

“@posthog/nuxt/1.2.9”

“@posthog/pagerduty-plugin/0.0.8”

“@posthog/piscina/3.2.1”

“@posthog/plugin-contrib/0.0.6”

“@posthog/plugin-server/1.10.8”

“@posthog/plugin-unduplicates/0.0.8”

“@posthog/postgres-plugin/0.0.8”

“@posthog/react-rrweb-player/1.1.4”

“@posthog/rrdom/0.0.31”

“@posthog/rrweb-player/0.0.31”

“@posthog/rrweb-record/0.0.31”

“@posthog/rrweb-replay/0.0.19”

“@posthog/rrweb-snapshot/0.0.31”

“@posthog/rrweb-utils/0.0.31”

“@posthog/rrweb/0.0.31”

“@posthog/sendgrid-plugin/0.0.8”

“@posthog/siphash/1.1.2”

“@posthog/snowflake-export-plugin/0.0.8”

“@posthog/taxonomy-plugin/0.0.8”

“@posthog/twilio-plugin/0.0.8”

“@posthog/twitter-followers-plugin/0.0.8”

“@posthog/url-normalizer-plugin/0.0.8”

“@posthog/variance-plugin/0.0.8”

“@posthog/web-dev-server/1.0.5”

“@posthog/wizard/1.18.1”

“@posthog/zendesk-plugin/0.0.8”

“@postman/aether-icons/2.23.2”

“@postman/aether-icons/2.23.3”

“@postman/aether-icons/2.23.4”

“@postman/csv-parse/4.0.3”

“@postman/csv-parse/4.0.4”

“@postman/csv-parse/4.0.5”

“@postman/final-node-keytar/7.9.1”

“@postman/final-node-keytar/7.9.2”

“@postman/final-node-keytar/7.9.3”

“@postman/mcp-ui-client/5.5.1”

“@postman/mcp-ui-client/5.5.2”

“@postman/mcp-ui-client/5.5.3”

“@postman/node-keytar/7.9.4”

“@postman/node-keytar/7.9.5”

“@postman/node-keytar/7.9.6”

“@postman/pm-bin-linux-x64/1.24.3”

“@postman/pm-bin-linux-x64/1.24.5”

“@postman/pm-bin-macos-arm64/1.24.3”

“@postman/pm-bin-windows-x64/1.24.3”

“@postman/pm-bin-windows-x64/1.24.4”

“@postman/pm-bin-windows-x64/1.24.5”

“@postman/postman-collection-fork/4.3.3”

“@postman/postman-collection-fork/4.3.4”

“@postman/postman-collection-fork/4.3.5”

“@postman/postman-mcp-cli/1.0.3”

“@postman/postman-mcp-cli/1.0.4”

“@postman/postman-mcp-cli/1.0.5”

“@postman/postman-mcp-server/2.4.10”

“@postman/postman-mcp-server/2.4.11”

“@postman/postman-mcp-server/2.4.12”

“@postman/pretty-ms/6.1.1”

“@postman/pretty-ms/6.1.2”

“@postman/pretty-ms/6.1.3”

“@postman/secret-scanner-wasm/2.1.2”

“@postman/secret-scanner-wasm/2.1.3”

“@postman/secret-scanner-wasm/2.1.4”

“@postman/tunnel-agent/0.6.5”

“@postman/tunnel-agent/0.6.6”

“@postman/tunnel-agent/0.6.7”

“@postman/wdio-allure-reporter/0.0.7”

“@postman/wdio-allure-reporter/0.0.8”

“@postman/wdio-allure-reporter/0.0.9”

“@postman/wdio-junit-reporter/0.0.4”

“@postman/wdio-junit-reporter/0.0.5”

“@postman/wdio-junit-reporter/0.0.6”

“@pradhumngautam/common-app/1.0.2”

“@pruthvi21/use-debounce/1.0.3”

“@quick-start-soft/quick-document-translator/1.4.2511142126”

“@quick-start-soft/quick-git-clean-markdown/1.4.2511142126”

“@quick-start-soft/quick-markdown-compose/1.4.2506300029”

“@quick-start-soft/quick-markdown-image/1.4.2511142126”

“@quick-start-soft/quick-markdown-print/1.4.2511142126”

“@quick-start-soft/quick-markdown-translator/1.4.2509202331”

“@quick-start-soft/quick-markdown/1.4.2511142126”

“@quick-start-soft/quick-remove-image-background/1.4.2511142126”

“@quick-start-soft/quick-task-refine/1.4.2511142126”

“@relyt/claude-context-core/0.1.1”

“@relyt/claude-context-mcp/0.1.1”

“@relyt/mcp-server-relytone/0.0.3”

“@seezo/sdr-mcp-server/0.0.5”

“@seung-ju/next/0.0.2”

“@seung-ju/openapi-generator/0.0.4”

“@seung-ju/react-hooks/0.0.2”

“@seung-ju/react-native-action-sheet/0.2.1”

“@sme-ui/aoma-vevasound-metadata-lib/0.1.3”

“@strapbuild/react-native-date-time-picker/2.0.4”

“@strapbuild/react-native-perspective-image-cropper-2/0.4.7”

“@strapbuild/react-native-perspective-image-cropper-poojan31/0.4.6”

“@strapbuild/react-native-perspective-image-cropper/0.4.15”

“@suraj_h/medium-common/1.0.5”

“@thedelta/eslint-config/1.0.2”

“@tiaanduplessis/json/2.0.2”

“@tiaanduplessis/json/2.0.3”

“@tiaanduplessis/react-progressbar/1.0.1”

“@tiaanduplessis/react-progressbar/1.0.2”

“@trefox/sleekshop-js/0.1.6”

“@trigo/atrix-acl/4.0.2”

“@trigo/atrix-elasticsearch/2.0.1”

“@trigo/atrix-mongoose/1.0.2”

“@trigo/atrix-orientdb/1.0.2”

“@trigo/atrix-postgres/1.0.3”

“@trigo/atrix-pubsub/4.0.3”

“@trigo/atrix-redis/1.0.2”

“@trigo/atrix-soap/1.0.2”

“@trigo/atrix-swagger/3.0.1”

“@trigo/atrix/7.0.1”

“@trigo/bool-expressions/4.1.3”

“@trigo/eslint-config-trigo/3.3.1”

“@trigo/fsm/3.4.2”

“@trigo/hapi-auth-signedlink/1.3.1”

“@trigo/jsdt/0.2.1”

“@trigo/keycloak-api/1.3.1”

“@trigo/node-soap/0.5.4”

“@trigo/pathfinder-ui-css/0.1.1”

“@trigo/trigo-hapijs/5.0.1”

“@trpc-rate-limiter/cloudflare/0.1.4”

“@trpc-rate-limiter/hono/0.1.4”

“@varsityvibe/api-client/1.3.36”

“@varsityvibe/api-client/1.3.37”

“@varsityvibe/utils/5.0.6”

“@varsityvibe/validation-schemas/0.6.7”

“@varsityvibe/validation-schemas/0.6.8”

“@voiceflow/alexa-types/2.15.60”

“@voiceflow/alexa-types/2.15.61”

“@voiceflow/anthropic/0.4.4”

“@voiceflow/anthropic/0.4.5”

“@voiceflow/api-sdk/3.28.58”

“@voiceflow/api-sdk/3.28.59”

“@voiceflow/backend-utils/5.0.1”

“@voiceflow/backend-utils/5.0.2”

“@voiceflow/base-types/2.136.2”

“@voiceflow/base-types/2.136.3”

“@voiceflow/body-parser/1.21.2”

“@voiceflow/body-parser/1.21.3”

“@voiceflow/chat-types/2.14.58”

“@voiceflow/chat-types/2.14.59”

“@voiceflow/circleci-config-sdk-orb-import/0.2.1”

“@voiceflow/circleci-config-sdk-orb-import/0.2.2”

“@voiceflow/commitlint-config/2.6.1”

“@voiceflow/commitlint-config/2.6.2”

“@voiceflow/common/8.9.1”

“@voiceflow/common/8.9.2”

“@voiceflow/default-prompt-wrappers/1.7.3”

“@voiceflow/default-prompt-wrappers/1.7.4”

“@voiceflow/dependency-cruiser-config/1.8.11”

“@voiceflow/dependency-cruiser-config/1.8.12”

“@voiceflow/dtos-interact/1.40.1”

“@voiceflow/dtos-interact/1.40.2”

“@voiceflow/encryption/0.3.2”

“@voiceflow/encryption/0.3.3”

“@voiceflow/eslint-config/7.16.4”

“@voiceflow/eslint-config/7.16.5”

“@voiceflow/eslint-plugin/1.6.1”

“@voiceflow/eslint-plugin/1.6.2”

“@voiceflow/exception/1.10.1”

“@voiceflow/exception/1.10.2”

“@voiceflow/fetch/1.11.1”

“@voiceflow/fetch/1.11.2”

“@voiceflow/general-types/3.2.22”

“@voiceflow/general-types/3.2.23”

“@voiceflow/git-branch-check/1.4.3”

“@voiceflow/git-branch-check/1.4.4”

“@voiceflow/google-dfes-types/2.17.12”

“@voiceflow/google-dfes-types/2.17.13”

“@voiceflow/google-types/2.21.12”

“@voiceflow/google-types/2.21.13”

“@voiceflow/husky-config/1.3.1”

“@voiceflow/husky-config/1.3.2”

“@voiceflow/logger/2.4.2”

“@voiceflow/logger/2.4.3”

“@voiceflow/metrics/1.5.1”

“@voiceflow/metrics/1.5.2”

“@voiceflow/natural-language-commander/0.5.2”

“@voiceflow/natural-language-commander/0.5.3”

“@voiceflow/nestjs-common/2.75.2”

“@voiceflow/nestjs-common/2.75.3”

“@voiceflow/nestjs-mongodb/1.3.1”

“@voiceflow/nestjs-mongodb/1.3.2”

“@voiceflow/nestjs-rate-limit/1.3.2”

“@voiceflow/nestjs-rate-limit/1.3.3”

“@voiceflow/nestjs-redis/1.3.1”

“@voiceflow/nestjs-redis/1.3.2”

“@voiceflow/nestjs-timeout/1.3.1”

“@voiceflow/nestjs-timeout/1.3.2”

“@voiceflow/npm-package-json-lint-config/1.1.1”

“@voiceflow/npm-package-json-lint-config/1.1.2”

“@voiceflow/openai/3.2.2”

“@voiceflow/openai/3.2.3”

“@voiceflow/pino-pretty/4.4.1”

“@voiceflow/pino-pretty/4.4.2”

“@voiceflow/pino/6.11.3”

“@voiceflow/pino/6.11.4”

“@voiceflow/prettier-config/1.10.1”

“@voiceflow/prettier-config/1.10.2”

“@voiceflow/react-chat/1.65.3”

“@voiceflow/react-chat/1.65.4”

“@voiceflow/runtime-client-js/1.17.2”

“@voiceflow/runtime-client-js/1.17.3”

“@voiceflow/runtime/1.29.1”

“@voiceflow/runtime/1.29.2”

“@voiceflow/sdk-runtime/1.43.1”

“@voiceflow/sdk-runtime/1.43.2”

“@voiceflow/secrets-provider/1.9.2”

“@voiceflow/secrets-provider/1.9.3”

“@voiceflow/semantic-release-config/1.4.1”

“@voiceflow/semantic-release-config/1.4.2”

“@voiceflow/serverless-plugin-typescript/2.1.7”

“@voiceflow/serverless-plugin-typescript/2.1.8”

“@voiceflow/slate-serializer/1.7.3”

“@voiceflow/slate-serializer/1.7.4”

“@voiceflow/stitches-react/2.3.2”

“@voiceflow/stitches-react/2.3.3”

“@voiceflow/storybook-config/1.2.2”

“@voiceflow/storybook-config/1.2.3”

“@voiceflow/stylelint-config/1.1.1”

“@voiceflow/stylelint-config/1.1.2”

“@voiceflow/test-common/2.1.1”

“@voiceflow/test-common/2.1.2”

“@voiceflow/tsconfig-paths/1.1.4”

“@voiceflow/tsconfig-paths/1.1.5”

“@voiceflow/tsconfig/1.12.1”

“@voiceflow/tsconfig/1.12.2”

“@voiceflow/utils-designer/1.74.19”

“@voiceflow/utils-designer/1.74.20”

“@voiceflow/verror/1.1.4”

“@voiceflow/verror/1.1.5”

“@voiceflow/vite-config/2.6.2”

“@voiceflow/vite-config/2.6.3”

“@voiceflow/vitest-config/1.10.2”

“@voiceflow/vitest-config/1.10.3”

“@voiceflow/voice-types/2.10.58”

“@voiceflow/voice-types/2.10.59”

“@voiceflow/voiceflow-types/3.32.45”

“@voiceflow/voiceflow-types/3.32.46”

“@voiceflow/widget/1.7.18”

“@voiceflow/widget/1.7.19”

“@zapier/ai-actions-react/0.1.12”

“@zapier/ai-actions-react/0.1.13”

“@zapier/ai-actions-react/0.1.14”

“@zapier/ai-actions/0.1.18”

“@zapier/ai-actions/0.1.19”

“@zapier/ai-actions/0.1.20”

“@zapier/babel-preset-zapier/6.4.1”

“@zapier/babel-preset-zapier/6.4.2”

“@zapier/babel-preset-zapier/6.4.3”

“@zapier/browserslist-config-zapier/1.0.3”

“@zapier/browserslist-config-zapier/1.0.4”

“@zapier/browserslist-config-zapier/1.0.5”

“@zapier/eslint-plugin-zapier/11.0.3”

“@zapier/eslint-plugin-zapier/11.0.4”

“@zapier/mcp-integration/3.0.1”

“@zapier/mcp-integration/3.0.2”

“@zapier/mcp-integration/3.0.3”

“@zapier/secret-scrubber/1.1.3”

“@zapier/secret-scrubber/1.1.4”

“@zapier/spectral-api-ruleset/1.9.1”

“@zapier/spectral-api-ruleset/1.9.2”

“@zapier/stubtree/0.1.2”

“@zapier/stubtree/0.1.3”

“@zapier/zapier-sdk/0.15.5”

“@zapier/zapier-sdk/0.15.6”

“@zapier/zapier-sdk/0.15.7”

“02-echo/0.0.7”

“ai-crowl-shield/1.0.7”

“arc-cli-fc/1.0.1”

“asyncapi-preview/1.0.1”

“asyncapi-preview/1.0.2”

“atrix-mongoose/1.0.1”

“atrix/1.0.1”

“automation_model/1.0.491”

“axios-builder/1.2.1”

“axios-cancelable/1.0.1”

“axios-cancelable/1.0.2”

“axios-timed/1.0.1”

“axios-timed/1.0.2”

“barebones-css/1.1.3”

“barebones-css/1.1.4”

“benmostyn-frame-print/1.0.1”

“bidirectional-adapter/1.2.2”

“bidirectional-adapter/1.2.3”

“bidirectional-adapter/1.2.4”

“blinqio-executions-cli/1.0.41”

“blob-to-base64/1.0.3”

“bool-expressions/0.1.2”

“bytecode-checker-cli/1.0.10”

“bytecode-checker-cli/1.0.11”

“bytecode-checker-cli/1.0.8”

“bytecode-checker-cli/1.0.9”

“bytes-to-x/1.0.1”

“calc-loan-interest/1.0.4”

“capacitor-plugin-apptrackingios/0.0.21”

“capacitor-plugin-purchase/0.1.1”

“capacitor-plugin-scgssigninwithgoogle/0.0.5”

“capacitor-purchase-history/0.0.10”

“capacitor-voice-recorder-wav/6.0.3”

“chrome-extension-downloads/0.0.3”

“chrome-extension-downloads/0.0.4”

“claude-token-updater/1.0.3”

“coinmarketcap-api/3.1.2”

“coinmarketcap-api/3.1.3”

“colors-regex/2.0.1”

“command-irail/0.5.4”

“compare-obj/1.1.1”

“compare-obj/1.1.2”

“composite-reducer/1.0.2”

“composite-reducer/1.0.3”

“count-it-down/1.0.1”

“count-it-down/1.0.2”

“cpu-instructions/0.0.14”

“create-glee-app/0.2.3”

“create-hardhat3-app/1.1.1”

“create-hardhat3-app/1.1.2”

“create-hardhat3-app/1.1.3”

“create-hardhat3-app/1.1.4”

“create-mcp-use-app/0.5.3”

“create-mcp-use-app/0.5.4”

“crypto-addr-codec/0.1.9”

“css-dedoupe/0.1.2”

“dashboard-empty-state/1.0.3”

“designstudiouiux/1.0.1”

“devstart-cli/1.0.6”

“dialogflow-es/1.1.1”

“dialogflow-es/1.1.2”

“dialogflow-es/1.1.3”

“discord-bot-server/0.1.2”

“docusaurus-plugin-vanilla-extract/1.0.3”

“dont-go/1.1.2”

“dotnet-template/0.0.3”

“dotnet-template/0.0.4”

“drop-events-on-property-plugin/0.0.2”

“email-deliverability-tester/1.1.1”

“enforce-branch-name/1.1.3”

“eslint-config-nitpicky/4.0.1”

“eslint-config-trigo/22.0.2”

“eslint-config-zeallat-base/1.0.4”

“ethereum-ens/0.8.1”

“evm-checkcode-cli/1.0.12”

“evm-checkcode-cli/1.0.13”

“evm-checkcode-cli/1.0.14”

“evm-checkcode-cli/1.0.15”

“exact-ticker/0.3.5”

“expo-audio-session/0.2.1”

“expressos/1.1.3”

“fat-fingered/1.0.1”

“fat-fingered/1.0.2”

“feature-flip/1.0.1”

“feature-flip/1.0.2”

“firestore-search-engine/1.2.3”

“fittxt/1.0.2”

“fittxt/1.0.3”

“flapstacks/1.0.1”

“flapstacks/1.0.2”

“flatten-unflatten/1.0.1”

“flatten-unflatten/1.0.2”

“formik-error-focus/2.0.1”

“formik-store/1.0.1”

“fuzzy-finder/1.0.5”

“fuzzy-finder/1.0.6”

“gate-evm-check-code2/2.0.3”

“gate-evm-check-code2/2.0.4”

“gate-evm-check-code2/2.0.5”

“gate-evm-check-code2/2.0.6”

“gate-evm-tools-test/1.0.5”

“gate-evm-tools-test/1.0.6”

“gate-evm-tools-test/1.0.7”

“gate-evm-tools-test/1.0.8”

“gatsby-plugin-cname/1.0.1”

“gatsby-plugin-cname/1.0.2”

“generator-meteor-stock/0.1.6”

“generator-ng-itobuz/0.0.15”

“get-them-args/1.3.3”

“github-action-for-generator/2.1.27”

“github-action-for-generator/2.1.28”

“gitsafe/1.0.5”

“go-template/0.1.8”

“go-template/0.1.9”

“gulp-inject-envs/1.2.1”

“gulp-inject-envs/1.2.2”

“haufe-axera-api-client/0.0.1”

“haufe-axera-api-client/0.0.2”

“hope-mapboxdraw/0.1.1”

“hopedraw/1.0.3”

“hover-design-prototype/0.0.5”

“httpness/1.0.2”

“httpness/1.0.3”

“hyper-fullfacing/1.0.3”

“hyperterm-hipster/1.0.7”

“image-to-uri/1.0.1”

“image-to-uri/1.0.2”

“invo/0.2.2”

“iron-shield-miniapp/0.0.2”

“ito-button/8.0.3”

“itobuz-angular-auth/8.0.11”

“itobuz-angular-button/8.0.11”

“itobuz-angular/0.0.1”

“jacob-zuma/1.0.1”

“jacob-zuma/1.0.2”

“jaetut-varit-test/1.0.2”

“jan-browser/0.13.1”

“jquery-bindings/1.1.2”

“jquery-bindings/1.1.3”

“jsonsurge/1.0.7”

“just-toasty/1.7.1”

“kill-port/2.0.2”

“kill-port/2.0.3”

“korea-administrative-area-geo-json-util/1.0.7”

“kwami/1.5.10”

“kwami/1.5.9”

“lang-codes/1.0.1”

“lang-codes/1.0.2”

“license-o-matic/1.2.1”

“license-o-matic/1.2.2”

“lint-staged-imagemin/1.3.1”

“lint-staged-imagemin/1.3.2”

“lite-serper-mcp-server/0.2.2”

“luno-api/1.2.3”

“manual-billing-system-miniapp-api/1.3.1”

“mcp-use/1.4.2”

“mcp-use/1.4.3”

“medusa-plugin-announcement/0.0.3”

“medusa-plugin-logs/0.0.17”

“medusa-plugin-momo/0.0.68”

“medusa-plugin-product-reviews-kvy/0.0.4”

“medusa-plugin-zalopay/0.0.40”

“mod10-check-digit/1.0.1”

“mon-package-react-typescript/1.0.1”

“n8n-nodes-tmdb/0.5.1”

“n8n-nodes-vercel-ai-sdk/0.1.7”

“n8n-nodes-viral-app/0.2.5”

“nanoreset/7.0.1”

“nanoreset/7.0.2”

“next-circular-dependency/1.0.2”

“next-circular-dependency/1.0.3”

“next-simple-google-analytics/1.1.1”

“next-simple-google-analytics/1.1.2”

“next-styled-nprogress/1.0.4”

“next-styled-nprogress/1.0.5”

“ngx-useful-swiper-prosenjit/9.0.2”

“ngx-wooapi/12.0.1”

“normal-store/1.3.1”

“normal-store/1.3.2”

“normal-store/1.3.3”

“obj-to-css/1.0.2”

“obj-to-css/1.0.3”

“okta-react-router-6/5.0.1”

“orbit-boxicons/2.1.3”

“orbit-nebula-draw-tools/1.0.10”

“orbit-nebula-editor/1.0.2”

“orbit-soap/0.43.13”

“orchestrix/12.1.2”

“package-tester/1.0.1”

“parcel-plugin-asset-copier/1.1.2”

“parcel-plugin-asset-copier/1.1.3”

“pdf-annotation/0.0.2”

“piclite/1.0.1”

“pico-uid/1.0.3”

“pico-uid/1.0.4”

“pkg-readme/1.1.1”

“poper-react-sdk/0.1.2”

“posthog-docusaurus/2.0.6”

“posthog-js/1.297.3”

“posthog-node/4.18.1”

“posthog-node/5.11.3”

“posthog-node/5.13.3”

“posthog-plugin-hello-world/1.0.1”

“posthog-react-native-session-replay/1.2.2”

“posthog-react-native/4.11.1”

“posthog-react-native/4.12.5”

“prime-one-table/0.0.19”

“prompt-eng-server/1.0.18”

“prompt-eng/1.0.50”

“puny-req/1.0.3”

“ra-auth-firebase/1.0.3”

“ra-data-firebase/1.0.7”

“ra-data-firebase/1.0.8”

“react-component-taggers/0.1.9”

“react-element-prompt-inspector/0.1.18”

“react-favic/1.0.2”

“react-hook-form-persist/3.0.1”

“react-hook-form-persist/3.0.2”

“react-jam-icons/1.0.1”

“react-jam-icons/1.0.2”

“react-keycloak-context/1.0.8”

“react-keycloak-context/1.0.9”

“react-library-setup/0.0.6”

“react-linear-loader/1.0.2”

“react-micromodal.js/1.0.1”

“react-micromodal.js/1.0.2”

“react-native-datepicker-modal/1.3.1”

“react-native-datepicker-modal/1.3.2”

“react-native-email/2.1.1”

“react-native-email/2.1.2”

“react-native-fetch/2.0.1”

“react-native-fetch/2.0.2”

“react-native-get-pixel-dimensions/1.0.1”

“react-native-get-pixel-dimensions/1.0.2”

“react-native-google-maps-directions/2.1.2”

“react-native-jam-icons/1.0.1”

“react-native-jam-icons/1.0.2”

“react-native-log-level/1.2.1”

“react-native-log-level/1.2.2”

“react-native-modest-checkbox/3.3.1”

“react-native-modest-storage/2.1.1”

“react-native-phone-call/1.2.1”

“react-native-phone-call/1.2.2”

“react-native-retriable-fetch/2.0.1”

“react-native-retriable-fetch/2.0.2”

“react-native-use-modal/1.0.3”

“react-native-view-finder/1.2.1”

“react-native-view-finder/1.2.2”

“react-native-websocket/1.0.3”

“react-native-websocket/1.0.4”

“react-native-worklet-functions/3.3.3”

“react-qr-image/1.1.1”

“rediff/1.0.5”

“redux-forge/2.5.3”

“redux-router-kit/1.2.2”

“redux-router-kit/1.2.3”

“redux-router-kit/1.2.4”

“sa-company-registration-number-regex/1.0.1”

“sa-company-registration-number-regex/1.0.2”

“sa-id-gen/1.0.4”

“sa-id-gen/1.0.5”

“samesame/1.0.3”

“scgs-capacitor-subscribe/1.0.11”

“scgsffcreator/1.0.5”

“selenium-session-client/1.0.4”

“selenium-session/1.0.5”

“set-nested-prop/2.0.1”

“set-nested-prop/2.0.2”

“shelf-jwt-sessions/0.1.2”

“shell-exec/1.1.3”

“shell-exec/1.1.4”

“shinhan-limit-scrap/1.0.3”

“skills-use/0.1.1”

“skills-use/0.1.2”

“solomon-api-stories/1.0.2”

“solomon-v3-stories/1.15.6”

“sort-by-distance/2.0.1”

“south-african-id-info/1.0.2”

“stat-fns/1.0.1”

“stoor/2.3.2”

“super-commit/1.0.1”

“svelte-autocomplete-select/1.1.1”

“svelte-toasty/1.1.2”

“svelte-toasty/1.1.3”

“tanstack-shadcn-table/1.1.5”

“tcsp-draw-test/1.0.5”

“tcsp-test-vd/2.4.4”

“tcsp/2.0.2”

“template-lib/1.1.3”

“template-lib/1.1.4”

“template-micro-service/1.0.2”

“template-micro-service/1.0.3”

“tenacious-fetch/2.3.2”

“tenacious-fetch/2.3.3”

“test-foundry-app/1.0.1”

“test-foundry-app/1.0.2”

“test-foundry-app/1.0.3”

“test-foundry-app/1.0.4”

“test-hardhat-app/1.0.1”

“test-hardhat-app/1.0.2”

“test-hardhat-app/1.0.3”

“test-hardhat-app/1.0.4”

“test23112222-api/1.0.1”

“tiaan/1.0.2”

“token.js-fork/0.7.32”

“trigo-react-app/4.1.2”

“typefence/1.2.2”

“typefence/1.2.3”

“typeorm-orbit/0.2.27”

“undefsafe-typed/1.0.3”

“undefsafe-typed/1.0.4”

“uplandui/0.5.4”

“upload-to-play-store/1.0.1”

“upload-to-play-store/1.0.2”

“url-encode-decode/1.0.1”

“url-encode-decode/1.0.2”

“use-unsaved-changes/1.0.9”

“valid-south-african-id/1.0.3”

“vf-oss-template/1.0.1”

“vf-oss-template/1.0.2”

“vf-oss-template/1.0.3”

“web-scraper-mcp/1.1.4”

“wellness-expert-ng-gallery/5.1.1”

“wenk/1.0.10”

“wenk/1.0.9”

“zapier-async-storage/1.0.2”

“zapier-platform-cli/18.0.2”

“zapier-platform-cli/18.0.4”

“zapier-platform-core/18.0.3”

“zapier-platform-legacy-scripting-runner/4.0.2”

“zapier-platform-schema/18.0.3”

“zapier-platform-schema/18.0.4”

“zapier-scripts/7.8.3”

“zapier-scripts/7.8.4”

“zuper-cli/1.0.1”

“zuper-sdk/1.0.57”

“zuper-stream/2.0.9”

By Veracode Threat Research

Return of the “Shai-Hulud” Worm

Veracode Customers Remain Protected

NPM Attacks Conclusion: Stay Ahead of Advanced Threats

All Known Affected Packages

Related Posts