Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: shai-hulud (8 articles)Clear

Self-spreading Shai-Hulud worm hits more npm packages and reaches into Go

Socket reports a new wave of the self-spreading Shai-Hulud supply-chain worm, in its Miasma and Hades variants, that compromised more npm packages and, for the first time, reached the Go ecosystem. On June 24 attackers used a hijacked maintainer account to push trojanized versions of LeoPlatform and RStreams npm packages, tied to cloud and serverless workloads, and also poisoned a Go module from the Verana blockchain project. The malware harvests developer and CI/CD credentials, abuses GitHub Actions, and polls GitHub hourly for a marker commit to pull down its Hades payload. Researchers note the campaign keeps shifting ecosystems and indicators to stay ahead of detection rather than changing its core behavior.

Check
Check whether your projects or pipelines pulled affected LeoPlatform, RStreams, or related npm packages or the compromised Verana Go module, and review developer and CI/CD systems for credential theft.
Affected
Developers and CI/CD pipelines that installed the compromised npm packages or Go module; the worm steals cloud, registry, and GitHub credentials, then uses them to spread to more packages and repositories.
Fix
Remove affected versions, rotate developer, cloud, and CI/CD credentials, pin and verify dependencies, restrict install-time and build-time execution, and monitor for unexpected GitHub Actions activity and new exfiltration repositories.

New Shai-Hulud wave poisons 19 scientific Python packages on PyPI

The ongoing Shai-Hulud supply-chain campaign has struck again, this time trojanizing 19 Python packages on PyPI, many of them popular bioinformatics tools like Dynamo, Spateo, CoolBox, and Napari-UFISH that have been downloaded hundreds of thousands of times. Discovered by Socket, the wave pushed 37 malicious package versions from what looks like a single compromised maintainer, each carrying code that steals developer secrets such as cloud keys and tokens, then uses them to spread further. PyPI has quarantined affected releases. The credential-stealing behavior and tactics match earlier Shai-Hulud activity tied to the group TeamPCP, whose worm code leaked publicly last month.

Check
Search Python environments, lock files, and CI build logs for the 19 affected packages (including Dynamo, Spateo, CoolBox, U-FISH, Napari-UFISH) installed during the malicious window.
Affected
Developers and research teams that installed the trojanized versions of the 19 PyPI scientific packages, especially bioinformatics workflows pulling Dynamo, Spateo, CoolBox, U-FISH, or Napari-UFISH.
Fix
Remove the malicious versions and pin to known-good releases, then rotate every developer, cloud, and CI credential exposed on machines that installed them. Rebuild from trusted sources.

Red Hat @redhat-cloud-services npm namespace compromised with 'Miasma' Shai-Hulud variant - 30+ packages, 117K weekly downloads, steals dev and cloud secrets

More than 30 npm packages under Red Hat's @redhat-cloud-services namespace were backdoored in a supply-chain attack distributing a new Shai-Hulud variant dubbed 'Miasma.' Aikido and OX Security found dozens of package versions laced with malware that steals developer credentials, cloud secrets, SSH keys, and CI/CD tokens. Aikido says the compromised packages pull roughly 117,000 weekly downloads. Red Hat told BleepingComputer it removed the affected packages after becoming aware of the incident and that the compromise was limited to internal development tooling, with no impact on production products or services. The Miasma variant continues the self-propagating worm behavior that made the original Shai-Hulud campaign so disruptive.

Check
Inventory projects pulling @redhat-cloud-services npm packages. Check package-lock.json for backdoored versions since the compromise. Rotate developer, cloud, SSH, and CI/CD credentials reachable from build hosts.
Affected
30+ @redhat-cloud-services npm packages (~117K weekly downloads) backdoored with the Miasma Shai-Hulud variant. Red Hat says impact is limited to internal development tooling, not production products.
Fix
Remove affected package versions and pin to known-clean releases via lockfile. Rotate all secrets reachable from affected developer and CI hosts. Apply Aikido and OX Security IoCs.

Shai-Hulud wave: 600+ npm @antv packages compromised in one hour, GitHub Action 'actions-cool' tag hijack linked

Between 01:56 and 02:56 UTC on May 19, a Shai-Hulud-flavored attack published 639 malicious versions across 323 npm packages, mostly in the @antv chart and graph namespace, after compromising the maintainer account 'atool.' Affected libraries include @antv/g2, @antv/g6, echarts-for-react, timeago.js, and jest-canvas-mock (still 10M monthly downloads despite three years dormant). A linked attack hijacked 15 tags of the 'actions-cool' GitHub Action and replaced them with a credential stealer that reads runner memory and exfils to t.m-kosche[.]com - the same domain as the @antv campaign. Socket and Aikido say there are now 2,900+ GitHub repos generated by this wave.

Check
Audit package lockfiles and CI logs for installs of any @antv/* package or timeago.js, size-sensor, jest-canvas-mock, echarts-for-react published on May 19. Search workflows for 'actions-cool/maintain-one-comment@<tag>' references.
Affected
Developers and CI/CD pipelines that installed @antv packages or used the actions-cool GitHub Actions between May 19 01:56 UTC and the npm registry takedown.
Fix
Pin GitHub Actions to full commit SHAs, not tags. Block egress to t.m-kosche.com. Rotate every developer token, npm token, cloud credential, and SSH key on machines that ran affected builds.

Leaked Shai-Hulud worm source code reused in four malicious npm packages, one adds Phantom Bot DDoS

After TeamPCP dumped the Shai-Hulud worm's source code on GitHub last week with the note 'Here We Go Again - Let the Carnage Continue,' a new actor under the npm name deadcode09284814 has published four malicious packages typosquatting Axios and friends. One package, chalk-tempalte, contains an almost-unmodified copy of the leaked worm, exfiltrating GitHub tokens, cloud configs, and crypto wallet data to a remote C2 and creating a public GitHub repo titled 'A Mini Sha1-Hulud has Appeared.' Another package, axois-utils, adds a Go-based DDoS bot called Phantom Bot that floods HTTP, TCP, and UDP. OXsecurity, which discovered the campaign, counted about 2,678 combined downloads.

Check
Search package lock files and CI/CD logs for installs of chalk-tempalte, @deadcode09284814/axios-util, axois-utils, or color-style-utils. Check your GitHub accounts for any repo named 'A Mini Sha1-Hulud has Appeared.'
Affected
Any organization whose developers install Node.js packages by name from npm without lockfile pinning or pre-publish vetting, especially those typosquatting the popular axios library.
Fix
Uninstall the four packages and rotate all developer GitHub tokens, npm tokens, and cloud credentials on affected machines. Block the C2 hosts 87e0bbc636999b.lhr.life and 80.200.28.28:2222 at egress.

TeamPCP Shai-Hulud aftermath: OpenAI rotates macOS code-signing certificates after employee devices breached, TeamPCP advertises 450 Mistral AI source repositories for $25K

Two days after the Mini Shai-Hulud worm tore through TanStack and Mistral AI packages, the named-victim count grew sharply. OpenAI confirmed that two employee devices were compromised through the TanStack supply-chain chain and that a limited subset of internal source code repositories had credential material exfiltrated; the company is rotating its macOS code-signing certificates and tells Mac users they must update ChatGPT Desktop, Codex, and Atlas apps by June 12, 2026, or the apps will stop launching. TeamPCP separately listed 450 Mistral AI private repositories on a criminal forum for 25,000 dollars. Mistral confirmed a codebase management system was temporarily compromised on May 12 but says hosted services and user data were not impacted.

Check
Audit which developer workstations had any TanStack, Mistral AI, UiPath, OpenSearch, or Guardrails AI npm or PyPI packages installed since May 8, and review GitHub audit logs for token use from those machines.
Affected
Mac users of OpenAI ChatGPT Desktop, OpenAI Codex CLI, and Atlas browser apps - signed with the rotated certificates and must update before June 12, 2026. Customers of Mistral AI relying on private repos for SDK pinning.
Fix
Update affected OpenAI macOS apps before June 12. Rotate GitHub PATs, npm and PyPI tokens, cloud secrets, and SSH keys exposed on impacted developer machines. Pin Mistral and TanStack packages to known-clean releases.

TeamPCP supply-chain worm 'Mini Shai-Hulud' hits TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI - 170 packages, 401 malicious versions, 518 million weekly downloads (CVE-2026-45321)

TeamPCP launched its largest supply-chain attack to date on May 11, compromising 170+ npm and PyPI packages with 518 million combined weekly downloads. The attackers chained three GitHub Actions vulnerabilities to publish 401 malicious versions carrying valid SLSA Build Level 3 attestations - cryptographically indistinguishable from legitimate releases. Affected packages include TanStack, Mistral AI (npm and PyPI), UiPath, OpenSearch, and Guardrails AI. The worm installs a persistent gh-token-monitor daemon that triggers 'rm -rf ~/' if tokens get revoked, and includes a probabilistic full-disk-wipe routine for Israeli and Iranian locales.

Check
Audit lockfiles for @tanstack/* (84 affected versions), @uipath/* (66 versions), @mistralai/*, opensearch-project/opensearch 3.5.3-3.8.0, guardrails-ai 0.10.1, mistralai 2.4.6.
Affected
Any Node.js or Python environment that installed compromised packages between May 11 and registry takedown. CI/CD pipelines, developer workstations, AI/ML environments. Crypto wallets and password managers (1Password, Bitwarden) are primary exfil targets.
Fix
Remove gh-token-monitor daemon BEFORE revoking tokens (~/Library/LaunchAgents macOS, ~/.config/systemd/user/ Linux) - removal first prevents triggering the wipe. Pin lockfiles to clean versions. Rotate all npm tokens, GitHub PATs, cloud credentials, and crypto wallet seeds.

'Shai-Hulud: The Third Coming' worm pivots from Checkmarx KICS compromise into Bitwarden CLI, stealing SSH keys, cloud secrets, and MCP configs for AI coding tools

TeamPCP's self-propagating supply-chain worm is back in its third iteration, branded 'Shai-Hulud: The Third Coming' in hard-coded strings across the malware. On April 22, Socket reported Checkmarx's official KICS Docker images and a KICS VS Code / Open VSX extension had been trojanized. Bitwarden's own clients repo runs a Checkmarx scan on every pull request via a pull_request_target workflow that holds id-token: write and fetches credentials from Azure Key Vault, so when the poisoned scanner executed it harvested GitHub OIDC and Azure tokens. At 17:57 ET the same day, attackers used those tokens to push a modified publish-cli.yml to the Bitwarden repo and publish a malicious @bitwarden/cli version 2026.4.0 to npm. The package remained live for 93 minutes until Bitwarden pulled it at 19:30 ET. The payload: a 10MB obfuscated credential harvester that grabs SSH keys, cloud provider credentials, npm publish tokens, GitHub tokens, and - new in this variant - MCP (Model Context Protocol) configuration files used by Claude Code, Cursor, and similar AI coding tools. It then self-propagates by republishing into every npm package the victim can modify and uploads encrypted stolen secrets to public GitHub repositories under Dune-themed names. The worm has a Russian-locale kill switch (exits if LC_ALL/LANG starts with 'ru').

Check
Immediately check every CI/CD runner, developer laptop, and container that pulled Checkmarx KICS Docker images, the KICS GitHub Action, or @bitwarden/cli between March 23 and April 23, and rotate every credential that was ever present on those machines.
Affected
Confirmed malicious artifacts per Socket: @bitwarden/cli 2026.4.0 on npm (live 21:57 to 23:30 UTC on April 22, a 93 minute window); compromised Checkmarx KICS Docker images and GitHub Actions (first compromised March 23, re-compromised April 22); two Checkmarx-published Visual Studio Code and Open VSX extensions. Any npm package subsequently republished by a victim whose npm token this worm captured is also potentially malicious.
Fix
Remove the listed versions from all developer environments, CI runners, and private mirrors. Rotate every credential the worm would have seen: GitHub PATs and OIDC tokens, npm publish tokens, cloud provider keys (AWS/GCP/Azure), SSH keys, Azure Key Vault secrets, container registry creds, and MCP config files for AI coding tools - assume every credential stored in ~/.config, ~/.ssh, or exported to CI env is burned. Audit bitwarden/clients commit history for changes to publish-cli.yml and similar pipeline files around April 22. Search public GitHub for repositories named after Dune terms (beautifulcastle-* pattern) to find whether your stolen data has been published. Tighten pull_request_target triggers on security scanners - they should not have id-token: write permission.