Risky Business #807 – Shai-Hulud npm Worm Wreaks Old-School Havoc

Release Date: September 17, 2025
Host: Patrick Gray
Co-Host: Adam Boileau

Episode Overview

This episode dives into the chaos unleashed by the "Shai-Hulud" npm worm—a highly unusual, self-replicating malware that has sparked old-school excitement in the security community. Patrick Gray and Adam Boileau analyze the technical and cultural ramifications of this attack, along with other major security stories of the week: ransomware and data extortion trends, the TikTok sale saga, revelations about China’s Great Firewall, the spyware market's surge, and legal consequences for cybercriminals. The episode maintains Risky Business' trademark blend of deep analysis and wry amusement at the field's enduring unpredictability.

Major Discussion Points & Insights

1. Shai-Hulud npm Worm: Supply Chain Chaos Returns

[00:49–05:26]

Key Points:

• A credential-stealing, self-replicating worm was uploaded to the npm package repository, targeting developers.
• The worm uses Truffle Hog to sweep victim machines for secrets and then, bizarrely, automatically publishes those secrets in public GitHub repos.
• If npm credentials are found, it infects the packages the victim maintains and republishes them, thus propagating itself in classic worm fashion.

Quotes & Memorable Moments:

• “It’s an honest to God Internet worm... I’ll admit to being a little bit stoked when I woke up today on a show day and this had happened. I’m like, hell yeah...” – Patrick Gray [04:06]
• "Kind of chaotic, but smart." – Adam Boileau on publishing secrets to public GitHub repos [01:59]
• Discussion of CrowdStrike’s npm packages being affected and the company’s PR response.

Insights:

• The attack evokes nostalgia for earlier, wilder Internet days, and raises serious questions about npm’s central role and ability to contain outbreaks.
• “The optics of it just aren’t great. Right. And it’s just... every time something happens that makes CrowdStrike look bad, their response seems to make it look even worse.” – Patrick Gray [05:26]

2. Jaguar Land Rover Ransomware: Local Attackers, National Fallout

[05:26–09:41]

Key Points:

• The ransomware attack on Jaguar Land Rover could keep production halted until November and may bankrupt suppliers; early talks of government intervention are underway.
• Attackers are suspected to be domestic UK actors—highlighting a shift from the typical foreign (often Russian) ransomware groups.

Quotes:

• “They are going to get caught, like. I mean, I would bet solid money that within the next year they’re getting caught.” – Patrick Gray on the UK-based aggressors [06:24]
• On data extortion's rise: “If we convinced ransomware actors to get into data extortion, I would call that actually a massive win. Because…it’s way less disruptive than something like ransomware.” – Patrick Gray [07:34]

Insights:

• The hosts distinguish between disruptive ransomware (impacting availability) and the “gentler” though still damaging data extortion.
• Emphasis on the urgent need for precise language (“ransomware” vs. “data extortion”) to drive policy and effective response strategies.

3. TikTok’s Future: US Consortium vs. CCP

[10:34–13:13]

Key Points:

• Latest news: TikTok’s US business may be controlled by an investor group (Oracle, Silver Lake, Andreessen Horowitz), with ByteDance licensing technology rather than an outright sale.
• Raises the uneasy choice between control by American venture capitalists or the Chinese Communist Party.

Quotes:

• “As an Australian who likes TikTok and enjoys TikTok, it made me really sad… The choice is going to be made for us and we’re either going to wind up with a TikTok that’s controlled by a bunch of lunatic Americans or a TikTok that’s controlled by the Chinese Communist Party. And at the moment, I don’t know which one I would prefer.” – Patrick Gray [11:17]
• “If current TikTok is the Chinese Communist Party version, like, I can’t imagine the American one is going to be better than current TikTok...” – Adam Boileau [12:16]

Insights:

• The uncertainty and geopolitical shenanigans leave users caught between two undesirable alternatives, exposing the messy reality of global technology governance.

4. The Great Firewall Leak: China’s Exportable Censorship Industry

[13:16–18:12]

Key Points:

• A major data leak reveals operational details of China’s Great Firewall and its commercialization (“Great Firewall in a box”) for export to regimes in Kazakhstan, Pakistan, Ethiopia, Myanmar, and possibly Algeria.
• The firewall is developed via public-private partnerships and spun out of academic research—mirroring commercialization trends in the West.

Quotes:

• “China has innovated in this massive censorship at scale stuff… I am old enough to remember when people in the west… would ridicule the Great Firewall of China because they’re like, ‘you can’t stop the Internet.’ Well, go try.” – Patrick Gray [15:29]
• “They have a slightly easier problem… when you’re the Chinese Communist Party, you don’t really have that kind of degree of feedback.” – Adam Boileau [16:22]

Insights:

• China’s technical success with digital control becomes an export market, influencing global digital repression.
• The hosts reflect soberly on the normalization and profitability of Internet censorship.

5. Spyware Market Report: Investors Surge as Security Tightens

[18:12–20:47]

Key Points:

• Atlantic Council’s latest surveillance tech report shows a significant increase in US capital investment, particularly into Israeli spyware vendors.
• Apple’s new memory integrity features may dramatically increase the costs, and thus the value, of bypassing such defenses for spyware purveyors.

Quotes:

• “You look at the actual chart of the number of investors... and it looks like someone made a mistake on the graph. It’s going to the moon.” – Patrick Gray [20:03]

Insights:

• The tightening of exploitation methods (e.g., memory protections) may only make successful exploits more lucrative, fueling an arms race.

6. Vastamo Case: Legal & Human Fallout from Health Data Extortion

[20:47–23:00]

Key Points:

• The Finnish mental health clinic hack led to patient data being extorted; attacker “Zekill” was previously convicted but now released pending appeal due to Finnish legal procedure.
• A new arrest: an American living in Estonia linked to the same extortion network.

Quotes:

• “Him walking free, regardless of the legal process, doesn’t feel great.” – Adam Boileau [21:46]

Insights:

• The aftermath of extortion attacks on sensitive data is ongoing, with delayed legal closure compounding victim distress.

7. Breach Forums & Law Enforcement: Sentencing, Forum Takedowns

[23:00–24:09]

Key Points:

• Pompompurin, a key breach forum admin, is re-sentenced to three years in prison after an initial lenient term sparked backlash from US authorities.

Quotes:

• “Breach forums was pretty big and like a lot of bad stuff happened there. So I guess I don’t feel too bad about him seeing the inside of the prison.” – Adam Boileau [24:09]

8. Microsoft, Kerberos & Wyden: A Senator’s Crypto Crusade

[24:09–31:00]

Key Points:

• Microsoft, with Cloudflare, took down raccoon0365, a phishing-as-a-service platform, but Wyden’s attention-grabbing move is a public letter criticizing Microsoft’s use of weak RC4 crypto in Active Directory’s Kerberos implementation.
• “Kerberosting” lets attackers request password hashes for privileged accounts, which are easily cracked due to RC4’s weaknesses.

Quotes:

• “...It is ridiculous that they haven’t [fixed it]. But surely if you’re a senator you might be able to find some sort of broader message than hey, update from RC4 to stop Kerberoasting.” – Patrick Gray [27:49]
• “If it makes Microsoft change the default, then good, I guess. But it’s just a little weird.” – Adam Boileau [29:08]
• “At the same time, like, don’t you have anything else to be doing, buddy?” – Patrick Gray [31:00]

Insights:

• The discussion highlights the convoluted interplay of legacy technology, politics, and security advocacy.
• Even arcane technical issues can get thrown into the limelight when lawmakers get involved, sometimes for better, sometimes just… weird.

9. “Red Menace in the Weather Station”: Infrastructure Hysteria or Real Concern?

[31:00–36:31]

Key Points:

• Reports claim Chinese-manufactured solar-powered roadside infrastructure (chargers, weather stations) has hidden radios (“rogue devices”) embedded within, raising US espionage fears.
• Hosts downplay the primary risks, pointing out most hardware has unused radio chips by default, with little evidence of malicious use.

Quotes:

• “It’s a strange one to be excited about. I just... feel like the important detail is missing, which is that they were doing something with it or...” – Adam Boileau [33:49]
• “...sometimes [it's] grasping at straws for the China threat, when really there’s a lot of stuff they are doing which is a lot more threatening.” – Patrick Gray [36:31]

10. Israel Seizes Iranian Crypto Wallets: Messaging More Than Money

[36:32–38:52]

Key Points:

• Israel claims to have seized crypto wallets linked to Iran’s IRGC, possibly just “burning” the wallets by blacklisting rather than physically confiscating them.
• $1.5M in seized wallets, with $1.5B having passed through, likely meaning little practical disruption to Iranian activities.

Quotes:

• “Even the IRGC can’t de-dollarize, Adam, which I find quite fascinating.” – Patrick Gray [38:47]
• “The important thing is that Iran knows that people are watching them.” – Adam Boileau [38:25]

Notable Quotes & Memorable Moments

• “You just gotta — I don’t want to have to hand it to them, but I... I’m kind of here for the... just, like, the chaos of it.” – Adam Boileau on the npm worm [03:28]
• “Do we want Muskified TikTok or CCP TikTok? I actually don’t know.” – Patrick Gray [11:17]
• “I am old enough to remember when people in the west... would ridicule the Great Firewall of China... Well, go try.” – Patrick Gray [15:29]
• Flawless summarizing of policy nuance in: “If we convinced ransomware actors to get into data extortion, I would call that actually a massive win...” – Patrick Gray [07:34]
• “Don’t do crime, kids.” – Patrick Gray [24:09]
• On Ron Wyden’s technical quest: “At the same time, like, don’t you have anything else to be doing, buddy?” – Patrick Gray [31:00]

Technical & Policy Deep Dives (with Timestamps)

• Shai-Hulud npm Worm Mechanics and npm's Response [00:49–05:26]
• Distinguishing Ransomware vs. Data Extortion [07:06–10:19]
• TikTok US Ownership Saga & Geopolitical “No-Win” Choices [10:34–13:13]
• China's Censorship Tech Export Supply Chain [13:16–18:12]
• Spyware Industry Mapping by Atlantic Council [18:12–20:47]
• Kerberos, RC4, and Congressional Nerdery [24:09–31:00]
• “Rogue” Radios in Infrastructure: Separating Signal from Noise [31:00–36:31]
• Crypto, Iran, and State Messaging [36:32–38:52]

Sponsor Interview Highlight: Knock Knock Securing Messy Internal Networks

Interview with Adam Poynton, CEO of Knock Knock starts at [41:34]

Key Points & Quotes:

• Knock Knock is increasingly used not only to secure external surfaces but also to easily micro-segment messy internal networks.
• “A lot of the aha moments our customers have is, ‘Why do we have always-on network access?’ Why are these systems always accessible?...It just seems crazy.” – Adam Poynton [45:13]
• Recent features enable fine-grained, time-limited access and fast segmentation without needing large-scale network re-architecture.
• Plans to publish their threat model for transparency (“I think it’s the healthy right thing to do where we’re comfortable with our threat model... and I’d love to see other vendors doing that as well.” – Adam Poynton [51:21])

Closing Note

The episode has a playful but incisive tone, with Patrick and Adam oscillating between technical depth and bemused commentary on the security industry’s quirks and persistent failures. Whether marveling at new-old threats like Internet worms or dissecting international drama over TikTok, Risky Business #807 delivers both news and analysis for practitioners and interested observers alike—no pointless waffle.