警报｜NPM 供应链新威胁 Shai-Hulud 3.0 来袭，项目方需防范

2025-12-29 04:20:09

【币界】慢雾科技安全团队发出重要预警：NPM 供应链攻击的新变种「Shai-Hulud 3.0」已经出现。

这次攻击针对开发工具链发起，项目方和各大交易平台需要立即加强防范措施。据悉，此前 Trust Wallet API 密钥泄露事件，很可能就是由 Shai-Hulud 2.0 版本的攻击导致的。

供应链攻击一次比一次凶险。从 2.0 到 3.0，攻击手法在持续演进。建议各平台和开发团队：排查依赖包、更新密钥、加强代码审计。不要掉以轻心。

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.

8 Likes

Reward
8
5
Repost
Share

Comment

0/400

NonFungibleDegen

· 8h ago

ngl this shai-hulud thing sounds actually terrifying... trust wallet getting rekt already had me down bad, now 3.0 incoming? probably nothing but also... everything lol

Reply0

DeFiDoctor

· 9h ago

Upgrading from 2.0 to 3.0 is just as terrifying as some projects' so-called "innovation." If Trust Wallet really did that, it shows that our code audit process is broken. We need to regularly review our dependencies quickly; waiting until something goes wrong is too late.

View OriginalReply0

CryptoCrazyGF

· 9h ago

Damn, there's a new trick again. This time it has been upgraded directly to version 3.0, and the attack methods are getting more and more vicious. --- Was it this thing that caused the Trust Wallet incident? No wonder it caused such a big fuss at the time. --- The supply chain is truly devilish; if one link falls, the whole system is compromised. --- They talk about inspection and troubleshooting every day, but how many teams have really carefully reviewed the code... --- Haven't we learned from the many losses on Solana over the past few years? It's hard to guard against everything. --- The three points of advice seem simple, but implementing them is an extremely difficult task. --- It's maddening; key leaks are even more disgusting than losing tokens. --- Fortunately, I didn't write my own toolchain, or it would have exploded. --- When will version 4.0 come out after 2 to 3? Hackers are also getting competitive.

View OriginalReply0

ConfusedWhale

· 9h ago

Another round of supply chain nightmare, this time directly targeting the toolchain... better quickly scan through the dependency packages --- Was the last Trust Wallet incident caused by it? Then why haven't we seen any major movements since? --- From 2.0 to 3.0 so quickly, it feels like hackers update more frequently than project teams --- Need to change keys and conduct audits again, the development team probably has to work overtime until dawn these days --- It's hard to hold on, is the NPM ecosystem so easily penetrated? --- If this thing really explodes on a large scale, the exchange's risk control system will probably need to be rewritten --- Project teams are still sleepy, SlowMist's warning this time deserves a thumbs up --- The supply chain line really can't be blocked, it's impossible to guard against everything --- Quickly review the project's dependency packages, and pass the buck to maintainers if possible

View OriginalReply0

BearWhisperGod

· 9h ago

Supply chain issues have occurred again, this time directly escalating to 3.0? The Trust Wallet incident hasn't even settled yet, hackers are really on a roll. --- We must pay attention to npm, even a single dependency package can cause a crash. Who would still dare to use it confidently? --- Jumping directly from 2.0 to 3.0, attack iterations are faster than product updates. Unbelievable. --- Every time we talk about prevention, but when it comes to critical moments, major platforms still react slowly. Someone is probably going to get caught in a trap again this time. --- The leak of the keys was caused by this? No wonder it caused such a big fuss back then. What kind of fierce attack was that? --- I just want to know how many small projects got caught this time. Next week, there will probably be another wave of explosive failures. --- Checking dependencies, updating keys—easier said than done. It's so troublesome to actually do. --- Shai-Hulud sounds creepy just from the name. Is it really that fierce? --- Web3 security issues are really one after another. When will they be completely resolved? --- Supply chain is always the most overlooked part. Everyone focuses on contract vulnerabilities, but it was exposed by such a basic trick.

View OriginalReply0