The Holiday Whisper: Shai-Hulud 3.0

During the holiday season, attackers often exploit reduced staffing and slower response times, as seen with the emergence of a new malware variant, "The Golden Path" (v3.0), which is an evolution of the Shai-Hulud lineage. Discovered on December 29, 2025, within the @vietmoney/react-big-calendar npm package, this variant emphasizes stealth and cross-platform compatibility over rapid spread, representing a technical refinement of previous versions. The timing coincides with shifts in the npm ecosystem towards stricter security measures, suggesting attackers aim to exploit a transitional period. Although the threat is currently limited and likely in a testing phase, vigilance is recommended over panic, with a focus on proactive defense strategies such as disabling lifecycle scripts, enforcing lockfile-only installs, implementing cooldown periods for new package versions, and auditing outbound egress to mitigate potential data exfiltration.