Shai Hulud Supply Chain Worm Explained

Ransomware doesn’t just freeze computers - it can silence alarms too. And when the Natural History Museum in Paris went dark, thieves helped themselves to €600,000 worth of gold in a daring late-night heist. Meanwhile, developers have a new headache: a worm dubbed “Shai Hulud” has wriggled its way through more than 180 npm packages, quietly stealing secrets.

But it’s not all doom and gloom - unless you count your kitchen appliances turning into ad billboards.

All this and more is discussed in episode 436 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and his special guest Zoë Rose.

EPISODE LINKS:

• EU cyber agency says airport software held to ransom by criminals - BBC News.
• Teenagers charged over cyber attack on TfL costing millions of pounds - Sky News.
• Teen arrested on suspicion of Vegas Strip attack that cost $100M - SF Gate.
• Paris: cyber-attack hits Natural History Museum, cancels exhibition - Sortira Paris.
• Cybersécurité : le Grand Palais et plusieurs musées dont le Louvre victimes d’une attaque par rançongiciel - Le Parisien.
• "Des pièces de collection nationale": le directeur du Muséum d'histoire naturelle de Paris indique que les pépites d'or volées ont "une valeur inestimable" - BFMTV.
• Shai-Hulud Supply Chain Attack: Worm Used to Steal Secrets, 180+ NPM Packages Hit - Security Week.
• Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware - Wiz.
• 180+ NPM Packages Hit in Major Supply Chain Attack - Ox.
• Samsung confirms ads will now be shown on its $1,800+ fridges - UniLad.
• Bosch Cordless Multifunction Tool - Bosch.
• Smashing Security merchandise (t-shirts, mugs, stickers and stuff)

SPONSORED BY:

• Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
• Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.

SUPPORT THE SHOW:

Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!

FOLLOW THE SHOW:

Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

ENJOYED THE SHOW?

Make sure to check out our sister podcast, "The AI Fix".