Mini Shai-Hulud Hackers Compromise Hundreds of npm Packages

The Mini Shai-Hulud malware campaign has compromised more than 600 npm packages in a widespread supply chain attack, targeting developer credentials and CI/CD secrets across major software ecosystems [1, 2]. The threat actor, identified by researchers as TeamPCP, has systematically hijacked legitimate release pipelines to inject malicious code into widely used tools, including packages tied to TanStack, Red Hat Cloud Services, SAP, and Mistral AI [1, 2, 3].

The campaign reached a peak in mid-May 2026, when attackers published 84 malicious versions across 42 TanStack packages within a six-minute window [1]. These packages, some of which receive over 12 million weekly downloads, were modified to include a 2.3MB obfuscated payload designed to steal environment variables, GitHub tokens, and cloud credentials [1]. By abusing the pull_request_target pattern and GitHub Actions cache poisoning, the attackers successfully generated malicious packages that carried valid SLSA Build Level 3 provenance attestations, making the compromised releases appear legitimate to automated security checks [1, 2].

TeamPCP’s tactics focus on persistence and lateral movement. Once a developer installs an infected package, the malware executes automatically, polling GitHub every 60 seconds to monitor for token revocations and attempting to exfiltrate sensitive data via typosquatted domains or GitHub API dead drops [1, 3]. The malware has evolved through several iterations, moving from SAP-related packages in April to broader targets like Red Hat’s @redhat-cloud-services namespace, which averages 80,000 weekly downloads [1, 2, 3]. While the malware’s branding has shifted from Dune-themed references to Greek mythology, the underlying tradecraft remains consistent [2].

The GitHub Advisory Database has rated the TanStack compromise as critical, warning that any CI/CD environment that installed affected versions on May 11, 2026, should be treated as fully compromised [1]. Security researchers advise organizations to immediately rotate all credentials reachable from the installation process, revoke npm publishing tokens, and conduct a thorough audit of cloud logs for unauthorized activity [1, 2].

The incident highlights a persistent vulnerability in modern development: even packages with verified build metadata can be weaponized if the underlying release pipeline is subverted. With the attackers actively targeting the secrets needed to push further malicious updates, the primary question for developers is whether their existing automated security controls are sufficient to detect a breach that masquerades as a trusted, signed release.