- First seen
- Apr 30
- Last seen
- Apr 30
- Days running
- 0
Self-replicating Shai-hulud worm spreads token-stealing malware on npm
ReversingLabs@reversinglabs
RL researchers have detected the first self-replicating worm compromising popular npm packages with cloud token-stealing malware.
Seen in
Landing page intelligence
reversinglabs.com
Host
reversinglabs.com
Path
/blog/shai-hulud-worm-npm
Full URL
Redirect chain
1 hop- finalreversinglabs.com
Landing page snapshot
Captured 2026-05-11
Tracking parameters
- utm_source
- Outbrain
- utm_medium
- Discovery
- utm_campaign
- 202206-outbrain-promotion
- utm_content
- richiob
- utm_funnel
- awareness
- utm_term
- 002116bef8e288df2cae54b73a4e635250
- OutbrainClickId
- {{ob_click_id}}
- obOrigUrl
- true
+ 1 known tracker hidden (cloaker IDs scrubbed at ingest).
Tracking setup · Outbrain
Outbrain emits ob_click_id (your unique click), ob_source (publisher), ob_section (placement), and ob_position. Forward ob_click_id to your tracker as the postback key. ob_source and ob_section are the two highest-signal sub-IDs for blacklisting.
?ob_click_id={ob_click_id}&ob_source={ob_source}&ob_section={ob_section}&ob_position={ob_position}Default Outbrain setup template: ?ob_click_id={ob_click_id}&ob_source={ob_source}&ob_section={ob_section}&ob_position={ob_position}