Mini Shai-Hulud Malware Campaign Targets npm Packages

The Mini Shai-Hulud worm compromised 323 npm packages in a coordinated hour-long attack on May 19, pushing 639 malicious versions into the AntV data visualization ecosystem [1]. The campaign, attributed to the financially motivated threat actor TeamPCP, utilized a compromised maintainer account to inject preinstall hooks into high-download dependencies like echarts-for-react and @antv/scale [1].

The attack sequence began at 01:56 UTC, deploying an obfuscated 498 KB Bun bundle designed to harvest cloud credentials, CI/CD tokens, SSH keys, and local password manager vaults [1]. Once stolen, this data was exfiltrated to GitHub repositories created with Dune-themed names and descriptions containing a reversed "Shai-Hulud" marker [1]. To evade detection, the attackers injected optional dependencies pointing to orphan commits in the legitimate antvis/G2 repository, exploiting how npm’s github: resolver fetches code by commit hash regardless of the fork origin [1].

TeamPCP has emerged as a persistent threat to the open source ecosystem, previously targeting Docker APIs and Next.js before shifting focus to software supply chain compromises [2]. Researchers note that the group’s effectiveness stems from exploiting trusted developer workflows rather than relying on complex zero-day vulnerabilities [2]. By weaponizing tools like SLSA provenance attestation and compromising trusted identities, the group has successfully moved through development environments that traditional security defenses were not designed to monitor [2].

The scale of the operation is significant; across all waves, security researchers have tracked 1,055 compromised versions spanning npm, PyPI, and Composer [1]. TeamPCP’s recent activity also includes a confirmed breach of GitHub, where an employee’s download of a poisoned VS Code extension led to the theft of approximately 4,000 internal repositories [2].

Security firms advise organizations to treat any secrets accessible during the installation of these packages as compromised, including GitHub Actions secrets and OIDC tokens [1]. As TeamPCP continues to evolve its tactics—ranging from releasing its own source code to launching affiliate programs—the incident highlights a structural vulnerability in how developers trust long-standing, high-download dependencies [1]. The core question remains whether the open source community can secure its automated build pipelines before the next wave of automated, self-replicating worms strikes again [2].