What Happened
On December 29, 2025, malware was discovered in the @vietmoney/react-big-calendar npm package (version 0.26.2). This malware, called Shai-Hulud 3.0, targeted software supply chains during a time when security teams are often understaffed. The attack used postinstall and preinstall hooks, a known vulnerability that persists due to inadequate structural controls.
Timeline
December 25-29, 2025: The holiday period begins, with many security teams operating at minimal capacity.
December 29, 2025: Malicious code is identified in @vietmoney/react-big-calendar version 0.26.2 in the npm registry.
Post-discovery: Organizations using automated dependency updates during the holidays may have installed the compromised package without review.
Attackers timed this incident to exploit reduced oversight during holiday deployments, extending incident response times.
Which Controls Failed or Were Missing
No Lifecycle Script Restrictions
The malware exploited the postinstall and preinstall hooks. These npm lifecycle scripts run automatically during package installation, often without prior code review or monitoring. Allowing unrestricted lifecycle scripts grants package authors—and potential attackers—arbitrary code execution on developer machines and CI/CD pipelines.
Missing Package Verification
The compromised package was available in npm without additional verification beyond basic registry checks. Organizations likely lacked controls to:
- Verify package signatures
- Compare checksums against known-good versions
- Flag packages with recent maintainer changes
- Alert on new packages from unknown publishers
Absent Dependency Pinning
Using version ranges (^0.26.0 or ~0.26.0) instead of exact versions (0.26.2) allowed automatic installation of the malicious version. Without explicit pinning and a review process, your build process can inadvertently distribute malware.
No Runtime Isolation
Developer workstations and CI/CD runners likely ran with full system access, allowing the malware to execute with significant privileges.
What the Standards Require
PCI DSS v4.0.1 Requirement 6.3.2
You must manage the security of software components throughout the software development life cycle, including third-party components. Installing unverified packages from public registries during automated processes violates this requirement's intent.
NIST 800-53 Rev 5: SA-10
Configuration management must include integrity verification for third-party dependencies. You cannot rely solely on the npm registry's trust model.
ISO/IEC 27001:2022 Annex A.8.31
This control implies that development dependencies should not automatically propagate to production without verification. Installing packages without review during holidays breaks this separation.
OWASP ASVS v4.0.3: V14.2.1
You must verify that all components are up to date, preferably using a dependency checker during build or compile time. Automatic updates without verification, especially during periods of reduced oversight, create vulnerabilities.
Lessons and Action Items for Your Team
Disable Automatic Lifecycle Scripts
Add this to your .npmrc file:
ignore-scripts=true
This prevents automatic execution of lifecycle hooks. Document exceptions, review them quarterly, and enable scripts only for verified packages. For CI/CD, use npm ci --ignore-scripts instead of npm install.
Implement Exact Version Pinning
Replace version ranges in package.json with exact versions. Use package-lock.json or yarn.lock and commit it to version control. Every dependency update should require a pull request with reviewer approval.
Deploy a Package Verification Layer
Before installing any package:
- Check it against trusted sources like Snyk Vulnerability DB
- Verify package signatures where available
- Compare checksums against your internal registry mirror
- Flag packages published within the last 72 hours for manual review
Isolate Build Environments
Run npm install in containers with minimal privileges. Developer workstations should not run package installations with administrative access. CI/CD runners should operate in ephemeral environments that cannot access production credentials or sensitive systems.
Create Holiday Security Protocols
Establish rules for dependency updates during holidays:
- Freeze all automatic dependency updates from December 20 to January 5
- Require two-person approval for any manual updates during this period
- Extend incident response SLAs and communicate them to stakeholders
The Shai-Hulud 3.0 incident exploited predictable patterns. Your security posture should not rely solely on human vigilance. Implement structural controls that function even when your team is not actively monitoring.
