Mini Shai-Hulud Compromised Hundreds of npm Packages via Stolen Maintainer Tokens
Attackers linked by multiple researchers to TeamPCP hijacked the npm maintainer account atool and used it to publish roughly 639 malicious versions across 323 packages, heavily impacting Alibaba’s @antv/* ecosystem as well as packages such as echarts-for-react, timeago.js, and size-sensor. Reports said the malware executed through malicious preinstall hooks and an obfuscated Bun-based payload, stealing secrets from developer workstations and CI/CD systems including GitHub, npm, AWS, Kubernetes, Vault, SSH, Docker, and database credentials. The campaign also abused GitHub tokens to create attacker-controlled repositories for exfiltration, scraped GitHub Actions runner memory for plaintext secrets, and in some cases targeted trusted tooling including a briefly compromised Nx Console VS Code extension.
Researchers said the operation was worm-like and self-propagating, using stolen npm tokens to tamper with and republish additional packages under legitimate maintainer identities, with the broader Mini Shai-Hulud activity now tracked across npm, PyPI, and Composer. The malware reportedly established persistence in developer environments through modified VS Code and Claude Code settings and OS-level services, while some reports warned it also attempted to forge valid Sigstore/SLSA provenance using stolen CI identities. In response, npm invalidated all write-enabled granular access tokens that bypassed two-factor authentication and introduced Staged Publishing in preview, but researchers warned that any machine or pipeline that installed affected versions should be treated as fully compromised and all reachable credentials rotated immediately.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Compromised Nx Console VS Code extension is live for 11 minutes
Researchers reported that a malicious Nx Console VS Code extension was available briefly and sought GitHub, AWS, Kubernetes, Vault, and Claude Code credentials while attempting persistence and provenance forgery. SC Media states the extension was live for 11 minutes during the campaign.
TeamPCP's Mini Shai-Hulud campaign begins in March
Researchers described the AntV/npm activity as the third wave of an ongoing credential-chain operation that began in March and linked it to TeamPCP. This establishes the broader Mini Shai-Hulud campaign predating the May npm wave.
npm launches Staged Publishing public preview
npm introduced Staged Publishing in public preview, adding an MFA-approved staging step before CI-published packages become publicly installable. Reporting explicitly dates this mitigation rollout to May 20.
npm invalidates write-enabled granular tokens that bypass 2FA
In response to the supply-chain attacks, npm invalidated all granular access tokens with write access that bypassed two-factor authentication. The action was explicitly reported as taking place on May 19.
Worm-like propagation compromises secondary packages such as @starmind/collector-cli
After the initial atool takeover, the malware used stolen npm tokens to enumerate publishable packages, inject itself, and republish them under additional maintainer accounts. OpenSourceMalware reported @starmind/collector-cli was compromised this way, not directly through atool.
Malicious npm packages are mass-published in the AntV ecosystem
Using the compromised maintainer account, attackers published roughly 637-639 malicious versions across 317-323 npm packages, heavily affecting Alibaba's @antv ecosystem along with packages such as echarts-for-react and timeago.js. Reports describe the burst as occurring within minutes and as part of a single overnight wave.
Attacker compromises npm maintainer account 'atool'
The Mini Shai-Hulud npm wave was triggered by the compromise of the legitimate npm maintainer account 'atool'. Multiple reports identify this account takeover as the immediate precursor to the malicious package publishing spree.
Mini Shai-Hulud hits 42 TanStack packages
Researchers said the broader campaign had already compromised 42 TanStack packages before the AntV wave. This earlier incident was explicitly anchored to May 11 in reporting on the later npm response.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
Mini Shai-Hulud Attack Forces npm to Reset Bypass-2FA Publishing Tokens
cybersecuritynews.com
Open sourcenpm Invalidates Granular Access Tokens as Mini Shai-Hulud Sw...
socket.dev
Open sourceNew Mini Shai-Hulud attack targets npm ecosystem | news | SC Media
scworld.com
Open source600+ npm Packages Compromised in New Mini Shai-Hulud Supply Chain Attack
cybersecuritynews.com
Open sourceAntV data visualization tool the latest to be hit by ongoing npm supply chain attacks | InfoWorld
infoworld.com
Open sourceOpenSourceMalware.com - Community Threat Intelligence
opensourcemalware.com
Open sourceTeamPCP / Mini Shai-Hulud npm Campaign: 600 Packages, Confirmed Active Payload, Memory Scraping, and 2,500+ Compromised GitHub Repositories - Phoenix Security
phoenix.security
Open sourceVU#534320 - NPM supply chain compromise exposes challenges to securing the ecosystem from credential theft and self-propagation
kb.cert.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mini Shai-Hulud Supply-Chain Attack Compromised npm, PyPI, and Composer Packages
Researchers reported that the **Mini Shai-Hulud** campaign compromised widely used developer packages across **npm, PyPI, and Packagist/Composer**, including SAP CAP components, `intercom-client`, `intercom/intercom-php`, and PyTorch Lightning’s `lightning` package. The malicious releases delivered an obfuscated credential stealer executed with the **Bun** runtime, harvesting secrets from developer workstations and CI/CD environments, including GitHub, npm, cloud, Kubernetes, and AI tooling credentials. Stolen data was encrypted and exfiltrated through attacker-created public GitHub repositories, and the campaign was linked by multiple researchers to **TeamPCP**. Reports estimated exposure ranging from more than **1,000** to roughly **1,800 repositories**, with no `CVE`, `GHSA`, or `OSV` identifiers assigned at disclosure. Investigators said the attackers abused software publishing workflows rather than relying solely on direct maintainer compromise, including a stolen npm token tied to SAP’s `cloudmtabot` account, an exposed token in CircleCI pull-request builds, and overly broad GitHub and npm **OIDC trusted publishing** policies. The malware propagated by using stolen npm tokens to publish infected patch versions of additional packages and established persistence through developer tooling by planting `.vscode/tasks.json` entries with `"runOn": "folderOpen"` and `.claude/settings.json` `SessionStart` hooks, a technique compared to the earlier **PolinRider/TasksJacker** tradecraft. Maintainers released cleaned package versions, while defenders were urged to rotate credentials, review GitHub, npm, and cloud activity, harden OIDC publishing rules, pin dependencies, and hunt repositories for unauthorized `folderOpen` tasks and Claude hooks.
May 1, 2026
Mini Shai-Hulud Compromised Signed npm and PyPI Packages via GitHub Actions OIDC Abuse
A large software supply-chain campaign dubbed **Mini Shai-Hulud** compromised more than 170 npm packages and at least two PyPI packages tied to projects including **TanStack, Mistral AI, OpenSearch, UiPath, Guardrails AI,** and others. Researchers and vendors attributed the activity to **TeamPCP**, saying the attackers abused GitHub Actions release workflows—especially `pull_request_target`, cache poisoning, and theft of short-lived **OIDC** material from runners—to publish trojanized packages with apparently legitimate **SLSA** provenance, Sigstore attestations, and trusted-publishing signatures. Reports variously counted between roughly 160 and 400+ malicious package versions, with some affected packages totaling hundreds of millions of downloads, and OpenSearch and Mistral both confirmed compromised releases while TanStack described a chained workflow attack on its publishing pipeline. The malware targeted developer workstations and CI/CD systems, stealing **npm**, **GitHub**, cloud, Kubernetes, Vault, SSH, Docker, and AI-tool credentials, then attempting worm-like propagation by republishing infected packages with stolen tokens or workflow-issued publish credentials. Investigators said the payload also established persistence through **VS Code** tasks, **Claude Code** hooks, and in some cases system services, while exfiltrating data through **Session**, GitHub dead drops, and other attacker infrastructure; some variants included extortion notes, dead-man-switch logic, and geofenced destructive behavior. Defenders were urged to treat hosts that installed affected versions as potentially fully compromised, remove persistence before revoking tokens where applicable, rotate all exposed secrets from clean systems, invalidate CI caches, audit lockfiles and publishing activity, and rebuild impacted environments from trusted sources.
Jun 9, 2026
Shai-Hulud npm Worm Expanded Into Cross-Ecosystem Supply Chain Attacks
A supply-chain malware campaign known as **Shai-Hulud** compromised hundreds of packages in the npm ecosystem and later spread into both npm and PyPI, using stolen maintainer credentials and trusted publishing workflows to push trojanized releases. Early reporting said the worm affected more than 500 npm packages, searched infected developer and CI/CD environments for GitHub Personal Access Tokens, cloud API keys, and other secrets, and exfiltrated them to attacker-controlled infrastructure and public GitHub repositories. GitHub removed hundreds of malicious packages, while CISA urged organizations to review dependencies, check for cached malicious packages, rotate credentials, and enforce phishing-resistant MFA for developer accounts. Later waves became more aggressive and broader in scope. Researchers said a second campaign hit hundreds more npm packages and had a blast radius exceeding **27,000 repositories**, abusing `preinstall` and other lifecycle hooks to steal secrets, hijack GitHub Actions, self-propagate into additional packages, and in some cases deploy a conditional wiper-like payload. A subsequent **Mini Shai-Hulud** wave affected more than 170 packages across npm and PyPI, including packages tied to TanStack, Mistral AI, OpenSearch, Guardrails AI, UiPath, and others; it used files such as `router_init.js`, invoked Bun through malicious package scripts, targeted npm, GitHub, cloud, Kubernetes, Vault, and CI/CD credentials, and demonstrated that provenance and OIDC-based trusted publishing can still be abused when attacker-controlled code runs inside legitimate release workflows.
May 25, 2026