Protect Your Enterprise Now From the Shai-Hulud Worm and Npm Vulnerability in 6 Actionable Steps
Researchers say 400-plus package artifacts were compromised across npm, PyPI and Composer as attackers used valid provenance to hide credential-stealing malware.
- On yesterday, attackers published 84 malicious versions across 42 TanStack packages on the Node Package Manager, each carrying valid provenance and signatures.
- This incident is part of the ongoing Shai-Hulud campaign, which has compromised hundreds of packages across Node Package Manager, PyPI, and Composer since last September.
- By hijacking valid OpenID Connect tokens, threat actors generated malicious packages with verifiable SLSA Build Level 3 attestations; Snyk researchers say the "attack produces valid SLSA Build Level 3 attestations for malicious packages."
- The payload reads GitHub Actions process memory to collect credentials from more than 100 file paths, including AWS Secrets Manager, Kubernetes service account tokens, and SSH keys.
- Researchers recommend that security teams rotate all credentials including GitHub tokens and Node Package Manager tokens, while auditing IDE directories for malicious files surviving installation.
11 Articles
11 Articles
Protect your enterprise now from the Shai-Hulud worm and npm vulnerability in 6 actionable steps
TanStack had 2FA, OIDC publishing, and Sigstore provenance on every release. The Mini Shai-Hulud worm published 84 malicious versions anyway. The CI/CD Trust-Chain Audit Grid maps the six gaps it exploited and the Monday-morning fix for each one.
Compromised Mistral AI and TanStack packages may have exposed GitHub, cloud and CI/CD credentials in 'mini Shai Hulud' malware infection — supply-chain campaign spreads across npm and AI developer ecosystems like wildfire
Microsoft says attackers compromised the mistralai PyPI package with malware that executed on import, while researchers link related npm compromises affecting TanStack and Mistral SDKs to the broader “Mini Shai-Hulud” supply-chain campaign.
An attacker released 84 malicious versions across 42 packages of the TanStack suite, stealing credentials from cloud environments. The article "JavaScript Attack Can Empty Cryptocurrency Wallets" was first published on CryptoNews - Bitcoin, Ethereum, and Cryptocurrency News.
Hackers Hijacked 169 Popular npm Developer Packages
TeamPCP threat group launched coordinated supply chain attack compromising 169 npm packages on May 11, 2026. Mini Shai-Hulud worm targeted TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI hijacking GitHub Actions with stolen OIDC tokens. Attack represents first npm worm with valid SLSA Build Level 3 provenance. The post Mini Shai-Hulud Worm Compromises Over 169 npm Packages appeared first on TechJuice.
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
