Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply Chain

APPLICATION SECURITY VULNERABILITIES & THREATS REMOTE WORKFORCE CYBER RISK NEWS Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply Chain Hundreds of npm packages infected by the self-propagating, credential-stealing worm from TeamPCP are related to the open source TanStack ecosystem. Elizabeth Montalbano,Contributing Writer May 12, 2026 5 Min Read SOURCE: FLIXPIX VIA ALAMY STOCK PHOTO The Mini Shai-Hulud malware campaign continues to slither its way through the software supply chain, rearing its malicious head in a fresh wave of compromised npm packages and artifacts, mainly those used throughout the open source TanStack developer ecosystem. Researchers from Socket Threat Research and Aikido have identified hundreds of new compromised packages with the same basic goal as the previous proliferation of the worm-like malware: steal credentials from developer machines, and from continuous integration/continuous delivery (CI/CD) runners used by developers, then use those credentials to infect more packages for self-replication. Aikido researchers identified 373 malicious package-version entries across 169 npm package names, mainly related to the TanStack open source Web application stack. Meanwhile, researchers at Socket identified 84 compromised TanStack npm package artifacts modified with Mini Shai-Hulud, they said in a blog post published Tuesday. However, there is evidence that there are at least double that amount that span multiple organizations and developer tooling ecosystems, including SAP-related packages, AI tooling, and enterprise libraries, according to Socket. Related:'TrustFall' Convention Exposes Claude Code Execution Risk Indeed, the campaign appears to be ongoing and moving quickly, according to researchers from both firms. However, Raphael Silva, a security researcher at Aikido, wrote in a blog post published today that what's even more important is that this time, attackers are going for potentially even more dangerous proliferation tactics than in previous attacks. "The important part is not only the number of packages, but where they run," he wrote. "These packages are likely to be installed in local developer environments, CI jobs, release workflows, and internal build systems." Abuse of Trust: Compromised Maintainer Accounts Socket attributes the latest wave of infected packages to a recurring threat cluster informally tracked as TeamPCP, which operates Mini Shai-Hulud — a variant of Shai-Hulud that presumably takes its name from the Dune sandworm and was first seen infecting code packages in September 2025.  Attackers designed the malware to steal credentials and infect components across other software, propagating on its own without developer or attacker input. After its initial appearance, Shai-Hulud continued to surface periodically, appearing with new wiper capability in November and December campaigns of the same year.  Then Mini Shai-Hulud surfaced late last month, with more advanced and aggressive techniques that not only steal credentials and allow it to replicate, but also can hijack trusted publishing paths and execute malicious payloads during installation. It does this by compromising maintainers’ publishing credentials and automatically pushing Trojanized package updates to repositories under those accounts. Related:Reverse Engineering With AI Unearths High-Severity GitHub Bug "Compared with the original Shai-Hulud worm, Mini Shai-Hulud has evolved to feel more tuned for how packages are published today," Silva explains to Dark Reading. "This newer activity leans even harder into CI/CD and trusted publishing. It can abuse a legitimate workflow and still produce a package that looks like it came from the expected release process, using provenance to its advantage." Indeed, in his post, Silva called the malware's abuse of trusted publishing "one of the more uncomfortable parts of this wave" of attacks. "Trusted publishing is meant to remove long-lived npm tokens from release workflows," he wrote. "A GitHub Actions workflow can use OIDC to request a short-lived npm publish token, publish the package, and attach provenance to the release." This is a good thing when the workflow is clean; however, "it is much worse when attacker-controlled code runs inside the workflow," Silva noted.  Related:Fresh Wave of GlassWorm VS Code Extensions Slices Through Supply Chain Inside Job: Self-Propagation Continues to Worry What could spell even more trouble for developers is that the new wave of Mini Shai-Hulud packages seems far more deliberate and organized than the previous appearance of the variant, Silva noted in his post. "This wave does not just look like someone manually publishing bad versions," he wrote. "The malware is built to run inside build systems, steal npm and GitHub access, and abuse trusted publishing paths to push new compromised packages." Further, Mini Shai-Hulud uses heavily obfuscated JavaScript payloads and Bun-based execution techniques to evade traditional Node.js-focused security tooling. Some variants also establish persistence through IDE integrations and developer tooling hooks, the researchers said. "What makes this whole Shai-Hulud campaign so dangerous is the combination of credential theft and propagation," Silva tells Dark Reading. "It tries to turn one compromised runner or developer machine into the next poisoned package. That means the blast radius is not limited to whoever installed the malware first." Stop the Spread: Developer Defense Against Shai-Hulud Malicious code-package campaigns have by now become a familiar way for attackers to compromise the software supply chain, and extend their malware reach quickly, especially with worms that can self-propagate like Shai-Hulud. Though many attacks are detected and halted quickly before they do much damage, that doesn't mean that developers can let their guard down, and need to redouble efforts to make sure the open source code they use in development projects is without malicious infection.  To help developers identify the malicious packages related to the campaign and stop them from spreading, both Socket and Aikido published lists of the malicious artifacts and packages they identified and flagged. However, given the ongoing nature of the campaign, developers should immediately take other steps and follow some best practices to protect their projects from compromise. These include: scanning npm publishing logs for any unexpected publishes from your organization's packages, particularly versions published from GitHub Actions runners that were not initiated by a team member; rotating npm, GitHub, cloud, and CI/CD credentials potentially exposed to build pipelines; and enabling provenance verification, package allow-listing, and dependency monitoring, according to Socket. Developers also should hunt for unauthorized package publishes tied to maintainer accounts as well as inspect developer endpoints for credential theft or persistence artifacts to ensure their projects have not been infected by malicious packages, the researchers advised. Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now! About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars Your Guide to Securing AI Adoption in Your Organization What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems Anatomy of a Data Breach: What to Do if it Happens to You More Webinars You May Also Like APPLICATION SECURITY Supply Chain Attack Secretly Installs OpenClaw for Cline Users by Rob Wright FEB 19, 2026 APPLICATION SECURITY Chinese Hackers Hijack Notepad++ Updates for 6 Months by Jai Vijayan, Contributing Writer FEB 02, 2026 APPLICATION SECURITY Trump Administration Rescinds Biden-Era Software Guidance by Alexander Culafi JAN 29, 2026 APPLICATION SECURITY Microsoft Fixes Exploited Zero Day in Light Patch Tuesday by Jai Vijayan, Contributing Writer DEC 09, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? WED, JUNE 3, 2026 AT 1PM EST Your Guide to Securing AI Adoption in Your Organization TUES, JUNE 9, 2026 AT 1PM EST The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace WED, JUNE 24,2026 AT 1PM EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems TUES, MAY 26, 2026, AT 1PM EST Anatomy of a Data Breach: What to Do if it Happens to You JUNE 18TH, 2026 | 11:00AM -5:00PM ET | DOORS OPEN AT 10:30AM ET More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS