Fresh Wave of Mini Shai-Hulud Malware Targets Developer Supply Chain

Malicious npm packages spread Mini Shai-Hulud malware, compromising developer credentials and hijacking GitHub Actions. Stay protected now!

By Content Team

May 13, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

A new campaign of Mini Shai-Hulud malware is spreading through npm packages, targeting the TanStack developer ecosystem with hundreds of compromised packages. Security researchers from Socket and Aikido discovered 373 malicious package entries across 169 npm packages, with evidence suggesting the actual number could be double that.

The worm-like malware steals developer credentials from machines and CI/CD systems, then uses those credentials to infect more packages automatically. What makes this wave particularly dangerous is its abuse of trusted publishing workflows - hijacking legitimate GitHub Actions to push Trojanized updates that appear authentic.

Attributed to the TeamPCP threat group, this evolved variant uses obfuscated JavaScript and targets build systems more aggressively than previous versions. Developers should immediately scan publishing logs, rotate credentials, and enable provenance verification to protect their projects.

Source: Dark Reading

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Critical FreeScout Bug Allows Zero-Click Server Takeover

Mar 5, 2026

OpenAI Hit by North Korean Supply Chain Attack Through Popular JavaScript Library

Apr 13, 2026

Notepad++ Update System Hijacked in Months-Long Supply Chain Attack

Feb 7, 2026

Cisco Patches Critical Zero-Day Flaw Already Being Exploited in the Wild

Jan 24, 2026