Copycat Shai‑Hulud Worm Infects Another npm Package, Raising GDPR and CCPA Compliance Alarm
#Vulnerabilities

Copycat Shai‑Hulud Worm Infects Another npm Package, Raising GDPR and CCPA Compliance Alarm

Privacy Reporter
5 min read

A new variant of the Shai‑Hulud supply‑chain worm has been discovered in the npm package chalk‑tempalte and three other malicious modules. The malware steals credentials, cloud tokens and crypto wallets, then exfiltrates data to servers in Europe. Under GDPR, the breach triggers mandatory notification obligations, while the CCPA may expose U.S. developers to civil penalties. Experts urge immediate removal of the packages, key rotation, and a review of open‑source procurement policies.

![Featured image](Featured image)

What happened

A copycat of the infamous Shai‑Hulud worm resurfaced on npm this week. The malicious code was hidden in a package called chalk‑tempalte, which pretends to be an add‑on for the popular terminal‑styling library Chalk. In the same push, the same npm user – identified as Jessica Lyons – published three additional packages:

  • @deadcode09284814/axios-util
  • axois-utils
  • color‑style‑utils

All four modules contain credential‑stealing payloads, crypto‑wallet harvesters and, in one case, a Go‑based DDoS botnet. The code reaches out to command‑and‑control hosts such as 87e0bbc636999b.lhr.life and 80.200.28.28:2222.

According to Ox security researchers, the combined weekly download count for the four packages is 2,678, meaning thousands of developers may have installed the malware inadvertently.

GDPR (EU)

  • Article 5 – data‑processing principles require that personal data be processed lawfully, fairly and transparently. The worm extracts IP addresses, environment variables, cloud credentials and crypto‑wallet identifiers, all of which qualify as personal data under the regulation.
  • Article 33 – any breach that is likely to result in a risk to the rights and freedoms of natural persons must be reported to the supervisory authority within 72 hours. The moment a developer’s machine contacts the malicious C2 server, a breach occurs.
  • Article 32 – controllers and processors must implement appropriate technical and organisational measures. Publishing a package that deliberately injects malware into downstream projects is a clear violation of the security‑by‑design requirement.
  • Potential fines – up to €20 million or 4 % of global annual turnover, whichever is higher, can be imposed for non‑compliance.

CCPA (California, USA)

  • Section 1798.150 – requires businesses to notify California residents of any breach of “personal information” within 45 days of discovery. The stolen data includes email addresses, authentication tokens and crypto‑wallet identifiers, all covered by the statute.
  • Section 1798.155 – provides a private right of action for consumers whose data is exposed, allowing for statutory damages of $100‑$750 per consumer per incident and up to $7,500 for each intentional violation.

Both regimes give regulators the power to issue administrative fines and demand remediation plans. The cross‑border nature of npm (hosted in the United States, used globally) means that a single breach can trigger simultaneous GDPR and CCPA actions.

Impact on users and companies

Affected party What they lose Immediate risk Compliance consequence
Individual developers Private SSH keys, cloud API tokens, crypto wallet seeds Unauthorized access to personal servers and funds May be considered a data controller under GDPR if they process personal data on behalf of clients
Small‑to‑mid‑size SaaS firms Environment variables that contain customer PII, API keys for third‑party services Service disruption, data leakage, potential ransomware Must treat the breach as a processor incident and report to customers and regulators
Large enterprises using open‑source pipelines Supply‑chain contamination of CI/CD pipelines, possible DDoS botnet activation Outage, reputational damage, loss of customer trust Could face joint‑controller liability if they failed to vet dependencies

The worm also creates a persistent Go‑based bot that can survive package removal, meaning that simply uninstalling the module may not eradicate the threat.

What changes are needed

  1. Immediate containment
    • Uninstall the four malicious packages and any versions that depend on them.
    • Scan the file system for the strings "A Mini Sha1‑Hulud has Appeared" and remove any lingering configuration files.
    • Rotate every credential that may have been exfiltrated – SSH keys, cloud service tokens, API secrets and crypto wallet seeds.
  2. Supply‑chain hardening
    • Adopt a software‑bill‑of‑materials (SBOM) for every production build and verify package signatures where possible.
    • Enforce a policy that only allows packages with verified maintainers or those hosted on a trusted private registry.
    • Integrate automated scanning tools (e.g., GitHub Dependabot, Snyk) into CI pipelines to flag newly published versions that contain suspicious network calls.
  3. Legal and compliance steps
    • Conduct a data‑breach impact assessment within 24 hours and document the findings for GDPR/CCPA reporting.
    • Notify affected users and the relevant supervisory authority (e.g., the Irish Data Protection Commission for many EU‑based npm users) within the statutory windows.
    • Review contracts with third‑party vendors to ensure they include supply‑chain security clauses and right‑to‑audit provisions.
  4. Community response
    • npm should accelerate its two‑factor authentication requirement for maintainers and consider a publisher reputation score visible on package pages.
    • Open‑source projects that depend on Chalk or similar libraries should publish a security advisory and update their dependency lock files.
    • Security researchers are encouraged to share indicators of compromise (IoCs) – such as the C2 domains lhr.life and IP 80.200.28.28 – on platforms like MISP or VirusTotal.

Looking ahead

The pattern uncovered by Moshe Siman Tov Bustan suggests this is only the first phase of a broader campaign targeting the npm ecosystem. As supply‑chain attacks become more lucrative, regulators are likely to tighten oversight of open‑source dependencies. Companies that fail to implement risk‑based vetting of third‑party code may soon find themselves facing not only technical fallout but also substantial regulatory penalties under GDPR, CCPA and emerging data‑protection laws worldwide.

Bottom line: If you have installed any version of chalk-tempalte, @deadcode09284814/axios-util, axois-utils or color-style-utils, remove them now, rotate every secret, and treat the incident as a reportable data breach. The cost of compliance is far lower than the fines and reputational damage that follow a supply‑chain compromise.

#npm#Supply Chain#GDPR#CCPA#Malware

Comments

Loading comments...
Back to Home