Shai-Hulud Supply-Chain Attack Published Signed Malicious npm and PyPI Packages
A cross-ecosystem software supply-chain campaign dubbed Shai-Hulud compromised more than 170 packages—and possibly hundreds of package versions—across npm, PyPI, and Composer, including projects tied to TanStack, Mistral AI, OpenSearch, Guardrails AI, UiPath, Bitwarden CLI, and official SAP packages. Researchers attributed the activity to TeamPCP, which abused GitHub Actions workflows by chaining pull_request_target misuse, cache poisoning, and theft of GitHub Actions OIDC tokens and other credentials from runner environments. That access let the attackers publish malicious updates carrying apparently legitimate SLSA Build Level 3 provenance, Sigstore attestations, and valid GitHub Actions signatures, undermining trust in signed package releases.
The malicious packages included obfuscated payloads such as router_init.js and setup.mjs that profiled developer and CI/CD environments, stole secrets, and attempted self-propagation by harvesting npm tokens and abusing 2FA bypass paths. Reported targets included AWS IAM credentials, GitHub PATs, HashiCorp Vault tokens, and Kubernetes secrets, with exfiltration routed through the Session P2P network. The malware also established persistence by modifying Claude Code hooks and VS Code auto-run tasks so it could relaunch on startup. Defenders were urged to assume credential exposure if affected versions were installed, rotate secrets, inspect systems for persistence artifacts and unauthorized services, block known command-and-control infrastructure, and pin dependencies to verified hashes.
How this story unfolded
28 events from the most recent confirmed update back to the earliest known activity.
Attackers reportedly exfiltrate 3,800 GitHub repos via poisoned Nx Console extension
By 2026-05-22, reporting on the Mini Shai-Hulud campaign said attackers used credentials stolen through a poisoned Nx Console VS Code extension to exfiltrate about 3,800 internal GitHub repositories. The disclosure marked a further escalation of the campaign beyond malicious package publishing into large-scale source repository theft.
npm invalidates risky write tokens and previews staged publishing
On 2026-05-19, npm invalidated all granular access tokens with write access that bypassed two-factor authentication in response to the Mini Shai-Hulud-linked maintainer compromise. npm also introduced staged publishing in public preview, adding an MFA-verified approval step before CI-published packages become publicly installable.
Copycat Shai-Hulud npm packages appear after source code leak
By 2026-05-19, researchers reported that at least one separate threat actor had published modified Shai-Hulud-based npm packages, including the near-direct clone 'chalk-tempalte,' to steal credentials and propagate through the software supply chain. Researchers also observed Axios-themed typosquatting and at least one package with DDoS botnet functionality, showing the leaked code was already being repurposed beyond the original TeamPCP campaign.
Researchers reveal Mini Shai-Hulud token-monitoring and cross-platform persistence
On 2026-05-19, reporting on the renewed Mini Shai-Hulud campaign disclosed additional persistence and access-retention features, including Linux systemd user services, macOS LaunchAgents, and components named kitty-monitor and gh-token-monitor. Researchers said these mechanisms help the malware survive package removal and monitor compromised token revocation in near real time, reinforcing guidance to treat affected developer machines and CI/CD pipelines as fully compromised.
@starmind/collector-cli npm package disclosed as Mini Shai-Hulud victim
By 2026-05-19, community threat intelligence reported that npm package @starmind/collector-cli had been republished with the Mini Shai-Hulud payload during the expanded campaign linked to the atool/AntV compromise. The package was reportedly compromised through a secondary maintainer account, and all versions published on 2026-05-19 were advised to be treated as malicious.
Phoenix reports 2,500+ GitHub repos created in expanded npm maintainer compromise
By 2026-05-19, Phoenix Security reported that TeamPCP hijacked the npm maintainer accounts 'atool' and 'prop' to publish 323 malicious packages affecting Alibaba’s AntV ecosystem and other JavaScript libraries. The report described active infostealer payloads that scraped GitHub Actions runner memory, harvested secrets from more than 130 file paths, used GitHub and t.m-kosche.com for exfiltration, and linked the campaign to more than 2,500 public GitHub repositories allegedly created with stolen tokens.
Malicious @antv and echarts-for-react npm packages tied to Mini Shai-Hulud
By 2026-05-19, researchers reported a new supply-chain attack affecting numerous npm packages in the @antv ecosystem, including echarts-for-react, and linked it to the ongoing Mini Shai-Hulud activity. Unlike earlier disclosures centered on CI/CD publishing abuse, this wave reportedly used compromised maintainer accounts to push trojanized versions that stole credentials and could self-propagate by abusing stolen npm and GitHub tokens.
Malicious durabletask PyPI releases linked to Mini Shai-Hulud
By 2026-05-19, researchers reported that three PyPI releases of durabletask (1.4.1, 1.4.2, and 1.4.3) had been backdoored with import-time malware tied to Mini Shai-Hulud. The packages fetched a Linux-focused second-stage payload from attacker infrastructure, prompting guidance to treat any host that installed and imported them as fully compromised and rotate exposed credentials.
NHS England issues government alert naming affected Shai-Hulud packages
By 2026-05-17, NHS England had issued what reporting described as the first government alert on the TeamPCP/Shai-Hulud supply-chain campaign, explicitly naming affected npm and PyPI packages. The alert marked a new stage of official public-sector response to the package compromise wave.
OpenAI discloses TanStack-linked compromise and macOS update requirement
On 2026-05-14, OpenAI said a supply-chain attack tied to the TanStack npm compromise affected two employee devices and enabled limited unauthorized access to a small subset of internal source code repositories related to its iOS, macOS, and Windows products. The company said it found no evidence of customer data theft or modified published software, and told macOS users to update their OpenAI applications by 2026-06-12 to continue receiving updates and support.
Researchers detail TeamPCP Python toolkit fallback C2 and expanded infrastructure
On 2026-05-14, Hunt.io published analysis of the second-stage Python toolkit used in the Mini Shai-Hulud campaign, describing a hardcoded primary C2, a FIRESCALE GitHub commit-message dead-drop fallback verified with an embedded RSA key, and a final exfiltration path using public repositories created under victims’ own GitHub accounts. The report also identified Linux-focused systemd persistence, 13 modular credential-theft components, GovCloud-aware AWS targeting, Kubernetes-focused stealth features, a geofenced wiper routine, and additional Google Cloud infrastructure linked to TeamPCP.
Datadog publishes static analysis of leaked Shai-Hulud framework
On 2026-05-13, Datadog Security Labs published a static analysis of the briefly exposed Shai-Hulud source code, describing it as a modular TypeScript/Bun offensive framework tied to TeamPCP. The report revealed additional capabilities beyond prior reporting, including encrypted exfiltration, Sigstore provenance forgery, signed GitHub commit-based C2 fallback, AI coding assistant persistence, and a coercive deadman switch.
TeamPCP reportedly open-sources Shai-Hulud worm on GitHub
On 2026-05-13, researchers reported that TeamPCP appeared to publish Shai-Hulud worm source code in public GitHub repositories under the MIT License, explicitly inviting others to modify keys and command-and-control settings. Researchers said independent threat actors had already started forking and adapting the malware, marking a new proliferation risk beyond the original campaign.
Researchers estimate Shai Hulud packages had 518 million cumulative downloads
By 2026-05-12, researchers said the Mini Shai-Hulud campaign had compromised more than 170 packages whose combined downloads exceeded 518 million. This marked a significant escalation in the reported reach of the supply-chain attack beyond earlier package-count estimates alone.
Security vendors publish impact estimates and remediation guidance
By 2026-05-12, researchers and vendors reported that between roughly 160 and 416 package artifacts had been compromised and advised organizations to assume credential exposure if affected versions were installed. Recommended actions included rotating secrets, auditing for malicious files and persistence hooks, blocking known infrastructure, and pinning dependencies to verified hashes.
TanStack compromise assigned CVE-2026-45321
By 2026-05-12, reporting on the Shai Hulud campaign said the TanStack release-process compromise had been assigned CVE-2026-45321 with a CVSS score of 9.6. This formalized the vulnerability tied to the GitHub Actions and trusted publishing abuse used to ship malicious packages.
TanStack discloses release-process compromise details
TanStack said the attackers chained a risky pull_request_target workflow, GitHub Actions cache poisoning, and OIDC token theft from runner memory to compromise its release process. This disclosure provided concrete technical detail on how the campaign abused legitimate CI/CD pipelines to ship malicious versions.
Mistral discloses compromised npm packages and says embedded dropper was broken
On 2026-05-12, Mistral disclosed that malicious versions of @mistralai/mistralai, @mistralai/mistralai-azure, and @mistralai/mistralai-gcp were briefly available on npm between 22:45 UTC on May 11 and 01:53 UTC on May 12 before removal. The company said the incident appears linked to an affected developer device rather than compromised infrastructure and assessed that the dropper likely failed because it referenced a nonexistent payload filename, though users were still advised to remove affected versions and clean exposed systems.
Backdoored Cemu Linux release linked to Shai-Hulud campaign
On 2026-05-11, attackers uploaded malicious Linux assets to the official cemu-project/Cemu v2.6 GitHub release using a compromised long-term co-author account or token. Datadog later linked the embedded startup.pyz payload to the same supply-chain campaign that hit TanStack and Mistral, with credential theft, persistence, and destructive geofenced behavior on Linux systems.
OpenSearch discloses malicious prerelease npm packages and containment steps
On 2026-05-11, the OpenSearch Project disclosed that compromised credentials tied to its JavaScript client repository were used to publish malicious prerelease npm packages, including versions 3.5.3, 3.6.2, 3.7.0, and 3.8.0. OpenSearch removed the packages, warned systems that installed them may be fully compromised, and blocked repository write permissions while rotating credentials.
Malware steals secrets and establishes developer-environment persistence
The malicious packages deployed credential-stealing payloads that harvested secrets from developer and CI/CD environments, including AWS, GitHub, Vault, and Kubernetes credentials, and attempted self-propagation using stolen npm tokens and 2FA bypasses. The malware also established persistence by modifying Claude Code hooks and VS Code auto-run or configuration files, and exfiltrated data over attacker-controlled infrastructure including the Session P2P network.
Attackers abuse GitHub Actions to publish signed malicious packages
The attackers exploited GitHub Actions workflows, including pull_request_target behavior, cache poisoning, and theft of OIDC tokens and other credentials from CI/CD environments, to publish malicious package updates. The resulting releases appeared legitimate, carrying valid GitHub Actions signatures, Sigstore attestations, and SLSA Build Level 3 provenance.
Shai Hulud supply-chain attack compromises npm and PyPI packages
On 2026-05-11, a coordinated software supply-chain attack attributed to TeamPCP reportedly compromised more than 170 packages across npm and PyPI, with broader reporting later placing the total in the hundreds across npm, PyPI, and Composer. Affected ecosystems included TanStack, Mistral AI, OpenSearch, Guardrails AI, UiPath, Bitwarden CLI, and SAP packages.
Researchers link Mini Shai-Hulud execution trick to PolinRider tasks.json abuse
On 2026-04-30, analysis of the Mini Shai-Hulud campaign said its key execution method reused the VS Code tasks.json "runOn: folderOpen" technique previously seen in the PolinRider/TasksJacker activity, while extending it with a Claude Code SessionStart hook and Bun-based payload execution. The report also published concrete IOCs and package-specific compromise details for SAP CAP ecosystem packages, including a stolen npm token for mbt and overly broad GitHub OIDC trusted publishing settings for three @cap-js packages.
intercom/intercom-php 5.0.2 on Packagist backdoored as Composer plugin
By 2026-04-30, researchers reported that attackers had overwritten intercom/intercom-php version 5.0.2 on Packagist with malicious code tied to Mini Shai-Hulud. The altered package executed as a Composer plugin during installation, downloaded the Bun runtime, and ran an obfuscated credential-stealing payload targeting GitHub tokens, SSH keys, cloud credentials, and environment variables.
Mini Shai-Hulud campaign unfolds across npm, PyPI, and Composer
Over April 29–30, 2026, the Mini Shai-Hulud supply-chain attack compromised packages across npm, PyPI, and Packagist/Composer, with researchers later attributing the campaign to TeamPCP. The operation abused CI/CD publishing misconfigurations rather than direct maintainer account takeovers and reportedly exposed roughly 1,800 repositories through stolen credentials.
Shai-Hulud 2.0 campaign begins via poisoned npm packages
Beginning on 2025-11-24, a 'Shai-Hulud 2.0' supply-chain campaign reportedly spread through poisoned packages including @postman/tunnel-agent 0.6.7 and @asyncapi/specs 6.8.3, targeting Linux-based CI/CD environments and GitHub Actions. Reporting said the worm compromised more than 30,000 GitHub repositories, stole about 500 GitHub usernames and tokens, and exposed up to 400,000 secrets while also attempting to harvest cloud credentials.
Akamai says TeamPCP ran an eight-month supply-chain credential theft campaign
Akamai reported that TeamPCP had been conducting an eight-month campaign focused on harvesting secrets, abusing developer workflows, and expanding access across repositories, packages, and developer tooling before the Mini Shai-Hulud outbreak became widely visible. The report framed the latest worm variant as an escalation of this longer-running operation rather than an isolated incident.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
50 references tracked. Mallory keeps watching after this page renders.
Mini Shai-Hulud Attack Forces npm to Reset Bypass-2FA Publishing Tokens
cybersecuritynews.com
Open sourceOSSサプライチェーン汚染の連鎖:今起きている異変 | LAC WATCH
lac.co.jp
Open sourcenpm Invalidates Granular Access Tokens as Mini Shai-Hulud Sw...
socket.dev
Open sourceNew Mini Shai-Hulud attack targets npm ecosystem | news | SC Media
scworld.com
Open sourceMalicious Intercom PHP Package Spreads Mini Shai-Hulud Attack to Packagist via Composer Plugin | Semgrep
semgrep.dev
Open sourceMini Shai-Hulud Borrowed Its Best Trick From PolinRider | OpenSource Malware Blog
opensourcemalware.com
Open sourceShai Hulud: SAP CAP Supply Chain Attack Via Claude Code
mend.io
Open source'Mini Shai-Hulud’ supply chain attack targets SAP npm packages | SOPHOS
sophos.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Shai-Hulud Worm and Related Malicious NPM Package Attacks Targeting Software Supply Chains
A large-scale supply chain attack has targeted the Node Package Manager (NPM) ecosystem, compromising hundreds of widely used JavaScript packages and threatening the security of software development pipelines globally. In mid-September, cybersecurity researchers identified a self-propagating malware dubbed "Shai-Hulud," which was distributed through trojanized NPM packages, including some with millions of weekly downloads and high-profile packages such as those from CrowdStrike. The attack leveraged a malicious "bundle.js" script that downloaded and executed TruffleHog, a legitimate credential scanner, to harvest developer and CI/CD tokens, cloud service credentials, and environment variables from compromised systems. The stolen credentials were exfiltrated via hard-coded webhooks and GitHub Actions workflows, enabling the attacker to further propagate the malware and gain unauthorized access to sensitive resources. The campaign affected both Windows and Linux systems, increasing its reach and impact across diverse development environments. Sysdig reported that the attack on September 15 involved approximately 200 compromised packages, including @ctrl/tinycolor, and was linked to an attacker who had previously targeted Nx packages in late August. The worm not only stole secrets but also published them publicly on GitHub and attempted to make victim repositories public, amplifying the risk of further compromise. Earlier in the month, other popular packages such as chalk, debug, and duck were also compromised following a successful spear phishing attack against a maintainer, with the attacker seeking to redirect cryptocurrency payments. NPM responded by removing the malicious package versions, but users were required to update or revert to secure versions to mitigate the risk. Sysdig provided same-day threat intelligence and detection capabilities to its customers, including open source Falco rules to identify and respond to the threat. The attack demonstrated the vulnerability of even the most trusted and widely used open source packages, highlighting the importance of continuous monitoring and rapid response in the software supply chain. Security researchers and vendors emphasized the need for organizations to scan their environments for known malicious packages, such as dist.fezbox.cjs, and to review logs for signs of credential exfiltration. The incident underscored the evolving tactics of threat actors targeting developer ecosystems, using advanced techniques to automate propagation and maximize impact. Organizations relying on NPM packages and CI/CD pipelines were urged to remain vigilant, update dependencies promptly, and leverage threat intelligence resources to defend against similar attacks. The Shai-Hulud campaign remains an evolving threat, with ongoing analysis and mitigation efforts by the security community. This incident serves as a stark reminder that popularity and trust in open source packages do not guarantee safety, and proactive security measures are essential to protect software supply chains from compromise.
Mar 21, 2026
Shai-Hulud Infostealer Supply Chain Attack on npm Ecosystem
A major supply chain attack targeted the npm ecosystem in September 2025, where an infostealer with worm-like characteristics, dubbed **Shai-Hulud**, compromised over 500 npm packages. The attack leveraged a previous compromise of the `s1ngularity/nx` project, exploiting CI/CD pipeline credentials and propagating through both direct and indirect dependencies. Security researchers confirmed that attackers exfiltrated GitHub and npm tokens, enabling them to inject malicious code into widely used packages and potentially access internal networks, move laterally, or tamper with software releases. The incident highlighted the persistent risks associated with CI/CD pipeline security, as attackers exploited overlooked access to secrets such as API keys and deployment tokens. The scale of the attack forced engineering and security teams worldwide to spend significant resources cleaning compromised environments and assessing exposure, even though the direct financial impact was limited. The event underscored the need for enhanced runtime security monitoring, such as eBPF-based sensors, and stricter controls on package publishing and consumption to defend against similar threats in the future.
Mar 21, 2026
Shai-Hulud 2.0 npm Supply Chain Attack Compromises Trust Wallet and Cloud Credentials
A sophisticated supply chain attack, dubbed Shai-Hulud 2.0, targeted the npm JavaScript ecosystem by compromising maintainer accounts of widely used packages. Attackers injected malicious scripts into the preinstall phase of these packages, enabling the theft of credentials from developer environments, CI/CD pipelines, and cloud-connected workloads. The campaign led to the compromise of over 25,000 GitHub repositories and the exposure of hundreds of cloud credentials, affecting major organizations such as Zapier, PostHog, Postman, and Trust Wallet. Blockchain forensics confirmed that secrets stolen in this campaign were used to drain digital wallets, resulting in a confirmed $8.5 million theft from Trust Wallet. The attack's automation and worm-like propagation highlighted the urgent need for improved supply chain security and credential hygiene in cloud-native environments. Security researchers have identified new variants of the Shai-Hulud malware, indicating ongoing development and testing by threat actors. The campaign's technical sophistication included phishing tactics to capture npm maintainer credentials and modifications to payloads for improved evasion and error handling. While the most significant financial impact was observed in the Trust Wallet breach, the broader campaign demonstrated the potential for widespread compromise across the open-source software supply chain. Multiple security vendors have independently verified the attack chain, emphasizing the critical risks posed by supply chain attacks in modern software development.
Mar 21, 2026