Shai-Hulud worm returns stronger and more automated than ever before | CyberScoop<\/title> <meta name=\"description\" content=\"Self-replicating malware has infected almost 500 open-source packages, exposing more than 26,000 GitHub repositories in less than 24 hours.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/supply-chain-attack-shai-hulud-npm\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Shai-Hulud worm returns stronger and more automated than ever before\"> <meta property=\"og:description\" content=\"Self-replicating malware has infected almost 500 open-source packages, exposing more than 26,000 GitHub repositories in less than 24 hours.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/supply-chain-attack-shai-hulud-npm\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-11-24T22:45:47+00:00\"> <meta property=\"article:modified_time\" content=\"2025-11-24T22:45:50+00:00\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/shai-hulud-worm-returns-stronger-and-more-automated-than-ever-before-2.jpg\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1763493151g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1763502595g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1763439630g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/86952\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=86952\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsupply-chain-attack-shai-hulud-npm%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsupply-chain-attack-shai-hulud-npm%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-86952 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/supply-chain-attack-shai-hulud-npm\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.472527472527\">\n<div class=\"single-article__header-content\" readability=\"36.393034825871\">\n<p> Self-replicating malware has infected almost 500 open-source packages, exposing more than 26,000 GitHub repositories in less than 24 hours. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/86952\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"274\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/shai-hulud-worm-returns-stronger-and-more-automated-than-ever-before.jpg?resize=640%2C274&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"Binary code depicted in waves.\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/shai-hulud-worm-returns-stronger-and-more-automated-than-ever-before-2.jpg 2644w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/shai-hulud-worm-returns-stronger-and-more-automated-than-ever-before-2.jpg?resize=300,129 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/shai-hulud-worm-returns-stronger-and-more-automated-than-ever-before-2.jpg?resize=768,329 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/shai-hulud-worm-returns-stronger-and-more-automated-than-ever-before-2.jpg?resize=1024,439 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/shai-hulud-worm-returns-stronger-and-more-automated-than-ever-before-2.jpg?resize=1536,658 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/shai-hulud-worm-returns-stronger-and-more-automated-than-ever-before-2.jpg?resize=2048,878 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/shai-hulud-worm-returns-stronger-and-more-automated-than-ever-before-2.jpg?resize=600,257 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/shai-hulud-worm-returns-stronger-and-more-automated-than-ever-before-2.jpg?resize=1200,514 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/shai-hulud-worm-returns-stronger-and-more-automated-than-ever-before-2.jpg?resize=1500,643 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> Binary code depicted in waves. (iStock\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"58.251451800232\"><body readability=\"119.07316548311\"><\/p>\n<p>Security researchers and authorities are warning about a fresh wave of supply-chain attacks linked to a self-replicating worm that attackers have injected into almost 500 npm (node.js package manager) software packages, exposing more than 26,000 open-source repositories on GitHub.<\/p>\n<p>The trojanized npm packages, which were <a href=\"https:\/\/www.aikido.dev\/blog\/shai-hulud-strikes-again-hitting-zapier-ensdomains\">first discovered late Sunday<\/a> by Charlie Eriksen, security researcher at Aikido Security, were uploaded during a three-day period starting Friday and reference a new version of Shai-Hulud, malware that previously infected npm packages in September.<\/p>\n<p>The campaign remains active and is compromising additional repositories, while others have been removed. Researchers haven\u2019t observed downstream attacks originating from credentials stolen by the malware.<\/p>\n<p>\u201cHowever, because these credentials were publicly exposed on GitHub, it is highly likely that multiple threat actors already have access to them or will soon. This significantly increases the probability of downstream exploitation even if it has not yet appeared at scale,\u201d Eriksen told CyberScoop.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The malware is propagating rapidly, using stolen npm tokens to infect additional packages at a level of automation and scale that is substantially higher than its previous version, approaching near self-sufficiency, Eriksen added. <\/p>\n<p>Major packages including Zapier, ENS Domains, PostHog and Postman were trojanized, allowing the attackers to populate GitHub repositories with stolen victim data, according to Wiz. Some of the packages are present in about 27% of cloud and code environments, the security firm said in a <a href=\"https:\/\/www.wiz.io\/blog\/shai-hulud-2-0-ongoing-supply-chain-attack\">blog post<\/a> Monday.<\/p>\n<p>\u201cWe\u2019ve observed multiple environments where these trojanized packages were downloaded before their removal from npm, suggesting active real-world exposure,\u201d Merav Bar, threat researcher at Wiz, told CyberScoop. \u201cAs we saw in past attacks, we expect to see a long tail of exploitation of the exposure across both the initial and opportunistic attackers.\u201d<\/p>\n<p>The previous and current wave of Shai-Hulud attacks appear to be focused on stealing developer secrets that can be used for deeper supply-chain compromise, Bar added.<\/p>\n<p>\u201cBoth waves of Shai-Hulud show how easy it is for attackers to weaponize trusted distribution paths, push malicious versions at scale, and reach thousands of downstream developers before anyone realizes something is wrong,\u201d she said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The timing of the latest Shai-Hulud campaign was opportunistic as well, hitting repositories just weeks before npm, a company GitHub acquired in 2020, plans to revoke classic tokens as part of a push to institute more strict security practices broadly. \u201cThis campaign would be significantly limited if these security implementations were in place,\u201d Eriksen said.<\/p>\n<p>The latest variant of Shai-Hulud creates malicious files during the preinstall phase, including a randomly named public repository containing stolen data. While the attacker references Shai-Hulud and activities resemble the previous worm, researchers at Wiz said there are some differences and attribution has not been fully confirmed.<\/p>\n<p>Ron Peled, chief operating officer and co-founder of Sola Security, described npm as a low-friction package ecosystem, which makes it an appealing target for attackers. Moreover, he said, developers\u2019 endpoints and CI\/CD environments are often a blind spot for endpoint detection and response and anti-malware tools.<\/p>\n<p>\u201cDevelopers often store GitHub tokens, npm tokens or cloud secrets in environment variables,\u201d Peled said. \u201cBuild systems almost always have access to powerful tokens and the malware only needs one of them to propagate.\u201d<\/p>\n<p>Attackers target open-source software for supply-chain attacks frequently, and the latest campaign marks yet another attack specifically targeting npm. Attacks are gaining maturity and complexity, building upon previous success, said Melissa Bischoping, senior director of security and product design research at Tanium. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cLast year, everyone zeroed in on the <a href=\"https:\/\/cyberscoop.com\/xz-utils-open-source\/\">XZ Utils compromise<\/a> and how supply-chain compromise of a single open-source project could potentially hijack the entire world. In early September we had simple cryptojacking which was <a href=\"https:\/\/cyberscoop.com\/open-source-npm-package-attack\/\">mostly a non-issue<\/a>, but then that was quickly followed by the Shai-Hulud worm which stole credentials and further compromised security,\u201d she added. <\/p>\n<p>\u201cThe pattern emerging is that attackers have identified open-source developers as high-value targets and have had massive success in just the last year,\u201d Bischoping said. \u201cDevelopers, even hobbyist ones, need to be prepared for continued attacks and escalation.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.4749034749035\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/shai-hulud-worm-returns-stronger-and-more-automated-than-ever-before-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/supply-chain-attack-shai-hulud-npm\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Shai-Hulud worm returns stronger and more automated than ever before<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3548,78,725,3875,1073,3288,256,5361,1866,649,4978,288,3610],"tags":[3561,86,728,3877,1076,3290,262,5362,1868,652,4982,294,3613],"class_list":["post-8129","post","type-post","status-publish","format-standard","hentry","category-aikido-security","category-cybersecurity","category-github","category-npm","category-open-source","category-open-source-software","category-research","category-sola-security","category-supply-chain-attacks","category-supply-chain-security","category-tanium","category-threats","category-wiz","tag-aikido-security","tag-cybersecurity","tag-github","tag-npm","tag-open-source","tag-open-source-software","tag-research","tag-sola-security","tag-supply-chain-attacks","tag-supply-chain-security","tag-tanium","tag-threats","tag-wiz"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/aikido-security\/\" rel=\"category tag\">Aikido Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/github\/\" rel=\"category tag\">GitHub<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/npm\/\" rel=\"category tag\">npm<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/open-source\/\" rel=\"category tag\">open source<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/open-source-software\/\" rel=\"category tag\">open source software<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sola-security\/\" rel=\"category tag\">Sola Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/supply-chain-attacks\/\" rel=\"category tag\">supply chain attacks<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/supply-chain-security\/\" rel=\"category tag\">supply chain security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/tanium\/\" rel=\"category tag\">Tanium<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/wiz\/\" rel=\"category tag\">Wiz<\/a>","tag_info":"Wiz","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8129","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8129"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8129\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8129,"date":"2025-11-24T16:45:47","date_gmt":"2025-11-24T22:45:47","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=86952"},"modified":"2025-11-24T16:45:47","modified_gmt":"2025-11-24T22:45:47","slug":"shai-hulud-worm-returns-stronger-and-more-automated-than-ever-before","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/11\/24\/shai-hulud-worm-returns-stronger-and-more-automated-than-ever-before\/","title":{"rendered":"Shai-Hulud worm returns stronger and more automated than ever before"},"content":{"rendered":"