Government Issues Alert on ‘Shai-Hulud’ Malware Threat Targeting India’s Startup and IT Ecosystem

New Delhi, September 28 (TNA) The government of India has issued a fresh cybersecurity warning regarding the “Shai-Hulud” malware, which poses a serious threat to India’s startup and IT sectors. CERT-In, the nodal cybersecurity agency under the Ministry of Home Affairs, has alerted startups and IT firms across the country about this malware’s capability to infiltrate the JavaScript Node Package Manager (npm) ecosystem, potentially leading to large-scale cyberattacks.

The malware, named after a science fiction sandworm from Frank Herbert’s novel series, can compromise thousands of npm packages widely used in software development, thereby risking the leakage of private data from apps, websites, and digital services.

Shai-Hulud operates by injecting itself into npm packages via phishing campaigns targeting developers’ credentials. Once inside, it autonomously replicates, spreading malicious code that can steal sensitive information, including emails, passwords, and API tokens. CERT-In warns that over 500 npm packages have already been compromised, with the worm capable of propagating rapidly through the network of interdependent packages used in development projects.

In response, CERT-In has urged all startups and IT firms to immediately review their software systems, rotate credentials, and implement phishing-resistant multifactor authentication. The agency has also directed firms to delete GitHub apps linked to the vulnerability and monitor firewall activities to block suspicious connections. Immediate rectification is advised if any irregularities are detected.