Just weeks after the devastating "Second Coming" campaign crippled thousands of development environments, the threat actor behind the Shai-Hulud worm has returned. Security researchers at Aikido have detected a new, evolved strain of the malware dubbed "The Golden Path," signaling that the most aggressive supply chain predator in the npm ecosystem is far from finished.

This latest iteration was first spotted on over the weekend, embedded within the package @vietmoney/react-big-calendar. While the initial discovery suggests the attackers may still be in a "testing" phase with limited spread, the technical refinements found in the code point to a more resilient and cross-platform threat.

Evolution of a Predator

Shai-Hulud has long utilized a Dune-inspired theatrical flair, but its latest evolution suggests a shift in branding. In this new wave, stolen data is exfiltrated to GitHub repositories featuring a cryptic new description: "Goldox-T3chs: Only Happy Girl.

Technically, "The Golden Path" is a significant upgrade. Earlier versions of the worm struggled with Windows environments when attempting to self-propagate using the bun runtime. The new strain specifically addresses this, implementing cross-platform publishing capabilities that ensure the worm can spread regardless of the victim's operating system.

Researchers also noted a shift in file nomenclature—the malware now operates via bun_installer.js and environment_source.js—and features improved error handling for TruffleHog, the secret-scanning tool the worm uses to harvest AWS, GCP, and Azure credentials. By refining its timeout logic, the malware is now less likely to crash during high-latency scans, making its "smash-and-grab" operations more reliable.

A Legacy of Disruption

This isn't Shai-Hulud’s first rodeo. The group first made headlines in September 2025 when a massive campaign hit over 500 npm packages, including those belonging to cybersecurity giant CrowdStrike.

Read: CrowdStrike Among Those Hit in NPM Attack Campaign

That initial strike was historically significant, resulting in the theft of an estimated $50 million in cryptocurrency and proving that even the most security-conscious organizations are vulnerable to upstream dependency hijacking.

In November, the "Second Coming" wave escalated the stakes by introducing a "dead man’s switch"—a destructive payload designed to wipe a user's home directory if the malware detected it had been cut off from its command-and-control (C2) servers.

Read: New Shai-Hulud Attack Hits Nearly 500 npm Packages with 100+ Million Downloads

The Supply Chain Standoff

The return of Shai-Hulud underscores a grim reality for modern DevOps: trust is a liability. By targeting the preinstall phase of npm packages, the malware executes before a developer even realizes a package is malicious.

"The differences in the code suggests that this was obfuscated again from original source, not modified in place," Aikido researchers noted. "This makes it highly unlikely to be a copy-cat, but was made by somebody who had access to the original source code for the worm."

Relying on npm’s default security is no longer sufficient. Organizations are urged to adopt "Trusted Publishing," enforce strict lockfile integrity, and utilize package-aging tools that block the installation of brand-new, unvetted releases. In the world of Shai-Hulud, the only way to survive the desert is to stop trusting the ground beneath your feet.

By Gauravdeep Singh, Head – State e-Mission Team (SeMT), Ministry of Electronics and Information Technology The Digital Personal Data Protection (DPDP) Act has fundamentally altered the risk landscape for Indian organisations. Data breaches now trigger mandatory compliance obligations regardless of their origin, transforming incidents that were once purely operational concerns into regulatory events with significant financial and legal implications.

Case Study 1: Cloud Misconfiguration in a Consumer Platform

A prominent consumer-facing platform experienced a data exposure incident when a misconfigured storage bucket on its public cloud infrastructure inadvertently made customer data publicly accessible. While no malicious actor was involved, the incident still constituted a reportable data breach under the DPDP Act framework. The organisation faced several immediate obligations:

• Notification to affected individuals within prescribed timelines
• Formal reporting to the Data Protection Board
• Comprehensive internal investigation and remediation measures
• Potential penalties for failure to implement reasonable security safeguards as mandated under the Act

Such incidents highlight a critical gap in traditional risk management approaches. The financial exposure—encompassing regulatory penalties, legal costs, remediation expenses, and reputational damage—frequently exceeds conventional cyber insurance coverage limits, particularly when compliance failures are implicated.

Case Study 2: Ransomware Attack on Healthcare and EdTech Infrastructure

A mid-sized healthcare and education technology provider fell victim to a ransomware attack that encrypted sensitive personal records. Despite successful restoration from backup systems, the organisation confronted extensive regulatory and operational obligations:

• Forensic assessment to determine whether data confidentiality was compromised
• Mandatory notification to regulatory authorities and affected data principals
• Ongoing legal and compliance proceedings

The total cost extended far beyond any ransom demand. Forensic investigations, legal advisory services, public communications, regulatory compliance activities, and operational disruption collectively created substantial financial strain, costs that would have been mitigated with appropriate insurance coverage.

Case Study 3: AI-Enabled Fraud and Social Engineering

The emergence of AI-driven attack vectors has introduced new dimensions of cyber risk. Deepfake technology and sophisticated phishing campaigns now enable threat actors to impersonate senior leadership with unprecedented authenticity, compelling finance teams to authorise fraudulent fund transfers or inappropriate data disclosures. These attacks often circumvent traditional technical security controls because they exploit human trust rather than system vulnerabilities. As a result, organisations are increasingly seeking insurance coverage for social engineering and cyber fraud events, particularly those involving personal data or financial information, that fall outside conventional cybersecurity threat models.

The Evolution of Cyber Insurance in India

The Indian cyber insurance market is undergoing significant transformation in response to the DPDP Act and evolving threat landscape. Modern policies now extend beyond traditional hacking incidents to address:

• Data breaches resulting from human error or operational failures
• Third-party vendor and SaaS provider security failures
• Cloud service disruptions and availability incidents
• Regulatory investigation costs and legal defense expenses
• Incident response, crisis management, and public relations support

Organisations are reassessing their coverage adequacy as they recognise that historical policy limits of Rs. 10–20 crore may prove insufficient when regulatory penalties, legal costs, business interruption losses, and remediation expenses are aggregated under the DPDP compliance framework.

The SME and MSME Vulnerability

Small and medium enterprises represent the most vulnerable segment of the market. While many SMEs and MSMEs regularly process personal data, they frequently lack:

• Mature information security controls and governance frameworks
• Dedicated compliance and data protection teams
• Financial reserves to absorb penalties, legal costs, or operational disruption

For organisations in this segment, even a relatively minor cyber incident can trigger prolonged operational shutdowns or, in severe cases, permanent closure. Despite this heightened vulnerability, cyber insurance adoption among SMEs remains disproportionately low, driven primarily by awareness gaps and perceived cost barriers.

Implications for the Cyber Insurance Ecosystem

The Indian cyber insurance market is entering a period of accelerated growth and structural evolution. Several key trends are emerging:

• Higher policy limits becoming standard practice across industries
• Enhanced underwriting processes emphasising compliance readiness and data governance maturity
• Comprehensive coverage integrating legal advisory, forensic investigation, and regulatory support
• Risk-based pricing models that reward robust data protection practices

Looking ahead, cyber insurance will increasingly be evaluated not merely as a risk-transfer mechanism, but as an indicator of an organisation's overall data protection posture and regulatory preparedness.

DPDP Act and the End of Optional Cyber Insurance

The DPDP Act has fundamentally redefined cyber risk in the Indian context. Data breaches are no longer isolated IT failures; they are regulatory events carrying substantial financial, legal, and reputational consequences. In this environment, cyber insurance is transitioning from a discretionary safeguard to a strategic imperative. Organisations that integrate cyber insurance into a comprehensive data governance and enterprise risk management strategy will be better positioned to navigate the evolving regulatory landscape. Conversely, those that remain uninsured or underinsured may discover that the cost of inadequate preparation far exceeds the investment required for robust protection. (This article reflects the author’s analysis and personal viewpoints and is intended for informational purposes only. It should not be construed as legal or regulatory advice.)