Socket reports a new wave of the self-spreading Shai-Hulud supply-chain worm, in its Miasma and Hades variants, that compromised more npm packages and, for the first time, reached the Go ecosystem. On June 24 attackers used a hijacked maintainer account to push trojanized versions of LeoPlatform and RStreams npm packages, tied to cloud and serverless workloads, and also poisoned a Go module from the Verana blockchain project. The malware harvests developer and CI/CD credentials, abuses GitHub Actions, and polls GitHub hourly for a marker commit to pull down its Hades payload. Researchers note the campaign keeps shifting ecosystems and indicators to stay ahead of detection rather than changing its core behavior.
The ongoing Shai-Hulud supply-chain campaign has struck again, this time trojanizing 19 Python packages on PyPI, many of them popular bioinformatics tools like Dynamo, Spateo, CoolBox, and Napari-UFISH that have been downloaded hundreds of thousands of times. Discovered by Socket, the wave pushed 37 malicious package versions from what looks like a single compromised maintainer, each carrying code that steals developer secrets such as cloud keys and tokens, then uses them to spread further. PyPI has quarantined affected releases. The credential-stealing behavior and tactics match earlier Shai-Hulud activity tied to the group TeamPCP, whose worm code leaked publicly last month.
More than 30 npm packages under Red Hat's @redhat-cloud-services namespace were backdoored in a supply-chain attack distributing a new Shai-Hulud variant dubbed 'Miasma.' Aikido and OX Security found dozens of package versions laced with malware that steals developer credentials, cloud secrets, SSH keys, and CI/CD tokens. Aikido says the compromised packages pull roughly 117,000 weekly downloads. Red Hat told BleepingComputer it removed the affected packages after becoming aware of the incident and that the compromise was limited to internal development tooling, with no impact on production products or services. The Miasma variant continues the self-propagating worm behavior that made the original Shai-Hulud campaign so disruptive.
Between 01:56 and 02:56 UTC on May 19, a Shai-Hulud-flavored attack published 639 malicious versions across 323 npm packages, mostly in the @antv chart and graph namespace, after compromising the maintainer account 'atool.' Affected libraries include @antv/g2, @antv/g6, echarts-for-react, timeago.js, and jest-canvas-mock (still 10M monthly downloads despite three years dormant). A linked attack hijacked 15 tags of the 'actions-cool' GitHub Action and replaced them with a credential stealer that reads runner memory and exfils to t.m-kosche[.]com - the same domain as the @antv campaign. Socket and Aikido say there are now 2,900+ GitHub repos generated by this wave.
After TeamPCP dumped the Shai-Hulud worm's source code on GitHub last week with the note 'Here We Go Again - Let the Carnage Continue,' a new actor under the npm name deadcode09284814 has published four malicious packages typosquatting Axios and friends. One package, chalk-tempalte, contains an almost-unmodified copy of the leaked worm, exfiltrating GitHub tokens, cloud configs, and crypto wallet data to a remote C2 and creating a public GitHub repo titled 'A Mini Sha1-Hulud has Appeared.' Another package, axois-utils, adds a Go-based DDoS bot called Phantom Bot that floods HTTP, TCP, and UDP. OXsecurity, which discovered the campaign, counted about 2,678 combined downloads.
Two days after the Mini Shai-Hulud worm tore through TanStack and Mistral AI packages, the named-victim count grew sharply. OpenAI confirmed that two employee devices were compromised through the TanStack supply-chain chain and that a limited subset of internal source code repositories had credential material exfiltrated; the company is rotating its macOS code-signing certificates and tells Mac users they must update ChatGPT Desktop, Codex, and Atlas apps by June 12, 2026, or the apps will stop launching. TeamPCP separately listed 450 Mistral AI private repositories on a criminal forum for 25,000 dollars. Mistral confirmed a codebase management system was temporarily compromised on May 12 but says hosted services and user data were not impacted.
TeamPCP launched its largest supply-chain attack to date on May 11, compromising 170+ npm and PyPI packages with 518 million combined weekly downloads. The attackers chained three GitHub Actions vulnerabilities to publish 401 malicious versions carrying valid SLSA Build Level 3 attestations - cryptographically indistinguishable from legitimate releases. Affected packages include TanStack, Mistral AI (npm and PyPI), UiPath, OpenSearch, and Guardrails AI. The worm installs a persistent gh-token-monitor daemon that triggers 'rm -rf ~/' if tokens get revoked, and includes a probabilistic full-disk-wipe routine for Israeli and Iranian locales.
TeamPCP's self-propagating supply-chain worm is back in its third iteration, branded 'Shai-Hulud: The Third Coming' in hard-coded strings across the malware. On April 22, Socket reported Checkmarx's official KICS Docker images and a KICS VS Code / Open VSX extension had been trojanized. Bitwarden's own clients repo runs a Checkmarx scan on every pull request via a pull_request_target workflow that holds id-token: write and fetches credentials from Azure Key Vault, so when the poisoned scanner executed it harvested GitHub OIDC and Azure tokens. At 17:57 ET the same day, attackers used those tokens to push a modified publish-cli.yml to the Bitwarden repo and publish a malicious @bitwarden/cli version 2026.4.0 to npm. The package remained live for 93 minutes until Bitwarden pulled it at 19:30 ET. The payload: a 10MB obfuscated credential harvester that grabs SSH keys, cloud provider credentials, npm publish tokens, GitHub tokens, and - new in this variant - MCP (Model Context Protocol) configuration files used by Claude Code, Cursor, and similar AI coding tools. It then self-propagates by republishing into every npm package the victim can modify and uploads encrypted stolen secrets to public GitHub repositories under Dune-themed names. The worm has a Russian-locale kill switch (exits if LC_ALL/LANG starts with 'ru').