Why CERT-In is warning startups and IT firms about ‘Shai-Hulud,’ a Dune-inspired malware

The Indian Computer Emergency Response Team is the nodal body for cybersecurity in India under the Ministry of Electronics and Information Technology

India’s cybersecurity nodal agency, the Indian Computer Emergency Response Team (CERT-In), is concerned about startups regarding a fantastical creature from Dune, Shai Hulud.

However, unlike the giant sandworms in the Frank Herbert-written sci-fi novel series, Shai  Hulud, here, is a malware that poses a great risk for startups, IT companies and others.

What is the Shai Hulud malware campaign?

This malware campaign targets JavaScript's node package manager (npm) ecosystem — the world’s largest collection of open-source software building blocks used by developers to create apps, websites, and digital services.

Attackers have injected a worm-like malware (hence the name Shai Hulud) into npm packages, allowing it to spread automatically across projects.

How does the attack take place?

According to CERT-In, the campaign began with phishing emails spoofing npm and tricking developers into revealing their login details.

Once inside, the attackers deploy malware that harvests sensitive credentials and pushes malicious versions of packages back into the npm registry.

How widespread is the attack?

According to CERT-In the malware has already compromised more than 500 npm packages and is spreading across developer networks.

What did CERT-In say about startups and ITes companies? 

"This attack has the potential to impact start-ups, IT/ITES companies, fintech platforms and e-Governance applications that rely on npm-based software resulting in exposure of credentials, unauthorised code execution and further supply chain compromise," CERT-In warned.

What should companies do now?

CERT-In has urged immediate action from developer teams and organisations:

• Audit dependencies: Review all software relying on npm, checking package-lock.json or yarn.lock files for affected packages.
• Rotate credentials: Change all developer credentials, including npm, GitHub and cloud service keys.
• Mandate phishing-resistant MFA: Enforce hardware token–based or other phishing-resistant MFA across GitHub and npm accounts.
• Harden GitHub security: Remove unnecessary GitHub Apps, OAuth tokens, and webhooks; enable branch protection and secret scanning.
• Block malicious activity: Monitor firewalls for suspicious domains and block outbound connections to webhook.site.
• Look for compromise signs: Check organisational GitHub accounts for suspicious commits, references to “Shai-Hulud,” or unauthorized workflows.