Mini Shai-Hulud Supply-Chain Attack Compromised npm, PyPI, and Composer Packages
Researchers reported that the Mini Shai-Hulud campaign compromised widely used developer packages across npm, PyPI, and Packagist/Composer, including SAP CAP components, intercom-client, intercom/intercom-php, and PyTorch Lightning’s lightning package. The malicious releases delivered an obfuscated credential stealer executed with the Bun runtime, harvesting secrets from developer workstations and CI/CD environments, including GitHub, npm, cloud, Kubernetes, and AI tooling credentials. Stolen data was encrypted and exfiltrated through attacker-created public GitHub repositories, and the campaign was linked by multiple researchers to TeamPCP. Reports estimated exposure ranging from more than 1,000 to roughly 1,800 repositories, with no CVE, GHSA, or OSV identifiers assigned at disclosure.
Investigators said the attackers abused software publishing workflows rather than relying solely on direct maintainer compromise, including a stolen npm token tied to SAP’s cloudmtabot account, an exposed token in CircleCI pull-request builds, and overly broad GitHub and npm OIDC trusted publishing policies. The malware propagated by using stolen npm tokens to publish infected patch versions of additional packages and established persistence through developer tooling by planting .vscode/tasks.json entries with "runOn": "folderOpen" and .claude/settings.json SessionStart hooks, a technique compared to the earlier PolinRider/TasksJacker tradecraft. Maintainers released cleaned package versions, while defenders were urged to rotate credentials, review GitHub, npm, and cloud activity, harden OIDC publishing rules, pin dependencies, and hunt repositories for unauthorized folderOpen tasks and Claude hooks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researchers attribute Mini Shai-Hulud to TeamPCP
Researchers linked the Mini Shai-Hulud campaign to TeamPCP. Reporting described the operation as abusing CI/CD publishing misconfigurations and stolen tokens to spread malicious package updates across developer ecosystems.
Campaign expands across npm, PyPI, and Packagist ecosystems
Over April 29–30, 2026, Mini Shai-Hulud unfolded as a multi-ecosystem software supply-chain attack affecting npm, PyPI, and Packagist/Composer packages. Researchers said the campaign exposed roughly 1,800 repositories through stolen credentials and self-propagation.
Technical analysis ties execution method to PolinRider/TasksJacker
A later analysis reported that Mini Shai-Hulud reused the VS Code tasks.json "runOn": "folderOpen" execution technique previously associated with the PolinRider/TasksJacker campaign. The report also highlighted added persistence through Claude Code SessionStart hooks and published IOCs and hunting guidance.
Maintainers release updated versions of compromised SAP packages
After the SAP CAP package compromise was disclosed, maintainers of the known-compromised packages released updated versions. Defenders were advised to investigate installations of affected versions and rotate potentially exposed secrets.
Mini Shai-Hulud campaign compromises SAP CAP npm packages
On 2026-04-29, researchers disclosed a supply-chain attack dubbed Mini Shai-Hulud involving compromised npm packages in SAP's Cloud Application Programming Model ecosystem. The malicious packages included credential- and sensitive-data-stealing functionality and exfiltrated stolen data via public GitHub repositories.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Mini Shai-Hulud: Multi-Ecosystem Developer Supply Chain Attack - Lab Space
labs.cloudsecurityalliance.org
Open sourceMini Shai-Hulud Borrowed Its Best Trick From PolinRider | OpenSource Malware Blog
opensourcemalware.com
Open sourceShai-Hulud SAP Attack: Stolen Credentials in 1,200 Repos
ox.security
Open source'Mini Shai-Hulud’ supply chain attack targets SAP npm packages | SOPHOS
sophos.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mini Shai-Hulud Compromised Signed npm and PyPI Packages via GitHub Actions OIDC Abuse
A large software supply-chain campaign dubbed **Mini Shai-Hulud** compromised more than 170 npm packages and at least two PyPI packages tied to projects including **TanStack, Mistral AI, OpenSearch, UiPath, Guardrails AI,** and others. Researchers and vendors attributed the activity to **TeamPCP**, saying the attackers abused GitHub Actions release workflows—especially `pull_request_target`, cache poisoning, and theft of short-lived **OIDC** material from runners—to publish trojanized packages with apparently legitimate **SLSA** provenance, Sigstore attestations, and trusted-publishing signatures. Reports variously counted between roughly 160 and 400+ malicious package versions, with some affected packages totaling hundreds of millions of downloads, and OpenSearch and Mistral both confirmed compromised releases while TanStack described a chained workflow attack on its publishing pipeline. The malware targeted developer workstations and CI/CD systems, stealing **npm**, **GitHub**, cloud, Kubernetes, Vault, SSH, Docker, and AI-tool credentials, then attempting worm-like propagation by republishing infected packages with stolen tokens or workflow-issued publish credentials. Investigators said the payload also established persistence through **VS Code** tasks, **Claude Code** hooks, and in some cases system services, while exfiltrating data through **Session**, GitHub dead drops, and other attacker infrastructure; some variants included extortion notes, dead-man-switch logic, and geofenced destructive behavior. Defenders were urged to treat hosts that installed affected versions as potentially fully compromised, remove persistence before revoking tokens where applicable, rotate all exposed secrets from clean systems, invalidate CI caches, audit lockfiles and publishing activity, and rebuild impacted environments from trusted sources.
Jun 9, 2026
Mini Shai-Hulud Compromised Hundreds of npm Packages via Stolen Maintainer Tokens
Attackers linked by multiple researchers to **TeamPCP** hijacked the npm maintainer account `atool` and used it to publish roughly **639 malicious versions across 323 packages**, heavily impacting Alibaba’s **`@antv/*`** ecosystem as well as packages such as `echarts-for-react`, `timeago.js`, and `size-sensor`. Reports said the malware executed through malicious `preinstall` hooks and an obfuscated Bun-based payload, stealing secrets from developer workstations and CI/CD systems including GitHub, npm, AWS, Kubernetes, Vault, SSH, Docker, and database credentials. The campaign also abused GitHub tokens to create attacker-controlled repositories for exfiltration, scraped GitHub Actions runner memory for plaintext secrets, and in some cases targeted trusted tooling including a briefly compromised **Nx Console** VS Code extension. Researchers said the operation was worm-like and self-propagating, using stolen npm tokens to tamper with and republish additional packages under legitimate maintainer identities, with the broader **Mini Shai-Hulud** activity now tracked across npm, PyPI, and Composer. The malware reportedly established persistence in developer environments through modified VS Code and Claude Code settings and OS-level services, while some reports warned it also attempted to forge valid **Sigstore/SLSA provenance** using stolen CI identities. In response, **npm invalidated all write-enabled granular access tokens that bypassed two-factor authentication** and introduced **Staged Publishing** in preview, but researchers warned that any machine or pipeline that installed affected versions should be treated as fully compromised and all reachable credentials rotated immediately.
Jun 10, 2026
Shai-Hulud npm Worm Expanded Into Cross-Ecosystem Supply Chain Attacks
A supply-chain malware campaign known as **Shai-Hulud** compromised hundreds of packages in the npm ecosystem and later spread into both npm and PyPI, using stolen maintainer credentials and trusted publishing workflows to push trojanized releases. Early reporting said the worm affected more than 500 npm packages, searched infected developer and CI/CD environments for GitHub Personal Access Tokens, cloud API keys, and other secrets, and exfiltrated them to attacker-controlled infrastructure and public GitHub repositories. GitHub removed hundreds of malicious packages, while CISA urged organizations to review dependencies, check for cached malicious packages, rotate credentials, and enforce phishing-resistant MFA for developer accounts. Later waves became more aggressive and broader in scope. Researchers said a second campaign hit hundreds more npm packages and had a blast radius exceeding **27,000 repositories**, abusing `preinstall` and other lifecycle hooks to steal secrets, hijack GitHub Actions, self-propagate into additional packages, and in some cases deploy a conditional wiper-like payload. A subsequent **Mini Shai-Hulud** wave affected more than 170 packages across npm and PyPI, including packages tied to TanStack, Mistral AI, OpenSearch, Guardrails AI, UiPath, and others; it used files such as `router_init.js`, invoked Bun through malicious package scripts, targeted npm, GitHub, cloud, Kubernetes, Vault, and CI/CD credentials, and demonstrated that provenance and OIDC-based trusted publishing can still be abused when attacker-controlled code runs inside legitimate release workflows.
May 25, 2026