India’s CERT-In warns startups and IT firms about Shai-Hulud, a malware exploiting the open source npm registry, urging stronger credential security and dependency audits.
The Indian Computer Emergency Response Team (CERT-In), the nodal cybersecurity agency under the Ministry of Electronics and Information Technology, has issued an urgent warning to startups and IT/ITeS firms about a fast-spreading malware campaign named “Shai-Hulud.”
Unlike the sandworms from Frank Herbert’s Dune series, Shai-Hulud in the digital world refers to a worm exploiting the open source JavaScript Node Package Manager (npm) ecosystem. Npm is the world’s largest repository of open-source software building blocks, widely used by developers to create applications, websites, and digital services.
According to CERT-In, the malware poses a severe risk to startups, IT companies, and other technology-driven businesses. It spreads rapidly through open source dependencies, enabling attackers to steal developer credentials and compromise the integrity of software supply chains.
The advisory highlights the double-edged nature of open source ecosystems. On one hand, npm provides developers with vast libraries and shared innovation; on the other, its decentralised and open structure creates opportunities for malicious actors to inject vulnerabilities and malware.
CERT-In has recommended that organisations relying on npm and other open source components secure developer credentials and conduct thorough audits of dependencies within their supply chains to mitigate risk.
The warning underscores the growing need for responsible dependency management, open source security audits, and proactive monitoring as firms deepen their reliance on open source ecosystems to power digital services.
