The Mini Shai-Hulud malware campaign continues to slither its way through the software supply chain, rearing its malicious head in a fresh wave of compromised npm packages and artifacts, mainly those used throughout the open source TanStack developer ecosystem.
Researchers from Socket Threat Research and Aikido have identified hundreds of new compromised packages with the same basic goal as the previous proliferation of the worm-like malware: steal credentials from developer machines, and from continuous integration/continuous delivery (CI/CD) runners used by developers, then use those credentials to infect more packages for self-replication.
Aikido researchers identified 373 malicious package-version entries across 169 npm package names, mainly related to the TanStack open source Web application stack. Meanwhile, researchers at Socket identified 84 compromised TanStack npm package artifacts modified with Mini Shai-Hulud, they said in a blog post published Tuesday. However, there is evidence that there are at least double that amount that span multiple organizations and developer tooling ecosystems, including SAP-related packages, AI tooling, and enterprise libraries, according to Socket.
Indeed, the campaign appears to be ongoing and moving quickly, according to researchers from both firms. However, Raphael Silva, a security researcher at Aikido, wrote in a blog post published today that what’s even more important is that this time, attackers are going for potentially even more dangerous proliferation tactics than in previous attacks.
“The important part is not only the number of packages, but where they run,” he wrote. “These packages are likely to be installed in local developer environments, CI jobs, release workflows, and internal build systems.”
Abuse of Trust: Compromised Maintainer Accounts
Socket attributes the latest wave of infected packages to a recurring threat cluster informally tracked as TeamPCP, which operates Mini Shai-Hulud — a variant of Shai-Hulud that presumably takes its name from the “Dune” sandworm and was first seen infecting code packages in September 2025.
Attackers designed the malware to steal credentials and infect components across other software, propagating on its own without developer or attacker input. After its initial appearance, Shai-Hulud continued to surface periodically, appearing with new wiper capability in November and December campaigns of the same year.
Then Mini Shai-Hulud surfaced late last month, with more advanced and aggressive techniques that not only steal credentials and allow it to replicate, but also can hijack trusted publishing paths and execute malicious payloads during installation. It does this by compromising maintainers’ publishing credentials and automatically pushing trojanized package updates to repositories under those accounts.
“Compared with the original Shai-Hulud worm, Mini Shai-Hulud has evolved to feel more tuned for how packages are published today,” Silva explains to Dark Reading. “This newer activity leans even harder into CI/CD and trusted publishing. It can abuse a legitimate workflow and still produce a package that looks like it came from the expected release process, using provenance to its advantage.”
Indeed, in his post, Silva called the malware’s abuse of trusted publishing “one of the more uncomfortable parts of this wave” of attacks.
“Trusted publishing is meant to remove long-lived npm tokens from release workflows,” he wrote. “A GitHub Actions workflow can use OIDC to request a short-lived npm publish token, publish the package, and attach provenance to the release.”
This is a good thing when the workflow is clean; however, “it is much worse when attacker-controlled code runs inside the workflow,” Silva noted.
Inside Job: Self-Propagation Continues to Worry
What could spell even more trouble for developers is that the new wave of Mini Shai-Hulud packages seems far more deliberate and organized than the previous appearance of the variant, Silva noted in his post.
“This wave does not just look like someone manually publishing bad versions,” he wrote. “The malware is built to run inside build systems, steal npm and GitHub access, and abuse trusted publishing paths to push new compromised packages.”
Further, Mini Shai-Hulud uses heavily obfuscated JavaScript payloads and Bun-based execution techniques to evade traditional Node.js-focused security tooling. Some variants also establish persistence through IDE integrations and developer tooling hooks, the researchers said.
“What makes this whole Shai-Hulud campaign so dangerous is the combination of credential theft and propagation,” Silva tells Dark Reading. “It tries to turn one compromised runner or developer machine into the next poisoned package. That means the blast radius is not limited to whoever installed the malware first.”
Stop the Spread: Developer Defense Against Shai-Hulud
Malicious code-package campaigns have by now become a familiar way for attackers to compromise the software supply chain, and extend their malware reach quickly, especially with worms that can self-propagate like Shai-Hulud. Though many attacks are detected and halted quickly before they do much damage, that doesn’t mean that developers can let their guard down, and need to redouble efforts to make sure the open source code they use in development projects is without malicious infection.
To help developers identify the malicious packages related to the campaign and stop them from spreading, both Socket and Aikido published lists of the malicious artifacts and packages they identified and flagged. However, given the ongoing nature of the campaign, developers should immediately take other steps and follow some best practices to protect their projects from compromise.
These include: scanning npm publishing logs for any unexpected publishes from your organization’s packages, particularly versions published from GitHub Actions runners that were not initiated by a team member; rotating npm, GitHub, cloud, and CI/CD credentials potentially exposed to build pipelines; and enabling provenance verification, package allow-listing, and dependency monitoring, according to Socket.
Developers also should hunt for unauthorized package publishes tied to maintainer accounts as well as inspect developer endpoints for credential theft or persistence artifacts to ensure their projects have not been infected by malicious packages, the researchers advised.
Don’t miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!
No responses yet