Shai-Hulud Campaign Marks New Era In Supply Chain Attacks
The npm ecosystem is facing one of its most aggressive and technically sophisticated supply chain attacks to date. Over the past several months, security researchers have uncovered a sprawling malware campaign known as Shai-Hulud and its newer variant, Mini Shai-Hulud, which compromised hundreds of legitimate packages across npm and PyPI. The attacks targeted trusted developer tooling, AI SDKs, enterprise automation frameworks, and frontend libraries, transforming routine package installations into malware delivery mechanisms.
What began in 2025 as a worm-style attack affecting approximately 187 npm packages evolved rapidly into a broader campaign that struck organizations including TanStack, Mistral AI, UiPath, OpenSearch, and SAP-related packages. Researchers observed the malware stealing developer credentials, hijacking CI/CD pipelines, and self-propagating through trusted software publishing workflows.
The campaign demonstrates a fundamental shift in software supply chain attacks. Threat actors no longer rely solely on typo squatting or fake packages. Instead, they increasingly compromise legitimate publishing pipelines and signed releases, allowing malicious updates to appear authentic to developers and automated security systems alike.
The original Shai-Hulud campaign emerged in September 2025 when researchers identified a coordinated compromise involving at least 187 npm packages. The malware infected packages with a worm-like payload capable of harvesting npm tokens and propagating itself into additional packages automatically. The attack initially targeted popular libraries such as @ctrl/tinycolor, a package with millions of weekly downloads.
Unlike conventional malware campaigns that rely on phishing or malicious downloads, Shai-Hulud weaponized trust within developer ecosystems. Once attackers obtained valid credentials or publishing access, they inserted malicious scripts directly into legitimate package releases. Developers unknowingly installed malware from official repositories using standard dependency management workflows.
The malware's self-propagating design amplified the threat significantly. Infected environments searched for exposed credentials, CI/CD secrets, GitHub tokens, and npm publishing tokens. The malware then used those credentials to compromise additional packages and repositories, enabling rapid lateral movement throughout the software supply chain.
Security researchers later linked many of these incidents to a threat actor group known as TeamPCP. Investigators observed the group repeatedly targeting development infrastructure rather than end-user systems, recognizing that compromising maintainers and build pipelines offered access to far larger downstream victim pools.
Mini Shai-Hulud Expands the Attack Surface
In May 2026, the campaign escalated dramatically with the emergence of Mini Shai-Hulud, as detailed in research published by Step Security, a refined and more aggressive variant targeting high-profile npm and PyPI ecosystems simultaneously. Researchers from multiple security firms reported that the malware compromised over 160 packages and hundreds of package versions within days.
One of the most alarming aspects of the campaign involved the compromise of TanStack packages. TanStack libraries power routing and state management functionality for countless modern JavaScript applications, making them deeply embedded in enterprise development environments. Researchers discovered that attackers did not merely steal maintainer passwords. Instead, they hijacked trusted CI/CD workflows that used legitimate OpenID Connect identities to publish malicious releases.
This distinction matters because many software security controls assume signed or authenticated releases are trustworthy. In the TanStack incident, the malicious packages appeared to originate from legitimate infrastructure, effectively bypassing many conventional integrity checks.
Affected TanStack packages reportedly included widely used router and history libraries downloaded millions of times weekly. Security researchers warned that any organization using the compromised versions should immediately rotate credentials and inspect build environments for signs of unauthorized activity.
The campaign also spread into AI development ecosystems. Researchers identified compromised versions of Mistral AI SDK packages on both npm and PyPI. In one incident, malicious code inserted into the mistralai package automatically downloaded a secondary payload disguised as a Hugging Face Transformers component.
Investigators reported that the malware specifically targeted Linux systems and attempted to steal credentials from developer environments and cloud infrastructure. The payload reportedly included destructive functionality capable of wiping systems under certain conditions, further increasing the campaign's severity.
The Shai-Hulud campaigns do not limit itself to open source community projects. Researchers also uncovered compromised npm packages connected to enterprise vendors including SAP and Bitwarden. These incidents demonstrated how attackers increasingly target software ecosystems that developers inherently trust.
In the SAP-related compromise, attackers modified official npm packages to steal credentials and exfiltrate sensitive information from developer environments. Similarly, a compromised Bitwarden CLI npm package attempted to harvest developer credentials from systems installing the package through standard workflows. These attacks reinforced the reality that even highly respected software vendors remain vulnerable when attackers compromise publishing pipelines or maintainer accounts.
The compromise of credential management and enterprise tooling packages creates especially dangerous conditions for defenders. Developers often grant these tools elevated permissions, API access, and integration into deployment pipelines. Once attackers infiltrate such environments, they can gain indirect access to cloud systems, repositories, secrets managers, and production infrastructure.
Researchers increasingly warn that software supply chain attacks now prioritize "developer infrastructure compromise" over direct malware delivery to end users.
Modern development environments contain a concentration of sensitive assets including:
- GitHub personal access tokens
- Cloud API credentials
- CI/CD pipeline secrets
- SSH keys and deployment tokens
Attackers recognize that compromising a single developer workstation or build pipeline can provide access to thousands of downstream applications and environments. These findings help explain why campaigns like Shai-Hulud continue spreading rapidly before detection occurs.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion