Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a CVE vulnerability ID? 
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
New vulnerability? Tell us about it!
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
MSC-2025-11629
Good to know:
Date: December 27, 2025
A newly detected malware strain of Shai Hulud was discovered in an npm package called "@vietmoney/react-big-calendar." This appears to be in early testing stages with limited spread, suggesting the attackers may have been testing their payload. The new variant includes several updates from previous versions, such as changed file names, a new GitHub repository description ("Goldox-T3chs: Only Happy Girl"), improved error handling for TruffleHog timeouts, and better Windows compatibility for package publishing.
Severity Score
Severity Score
Weakness Type (CWE)
Embedded Malicious Code
CWE-506CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | HIGH |
| Availability (A): | HIGH |