Mini Shai-Hulud supply-chain attack hits npm and PyPI packages
A stealthy open-source campaign has spread through npm and PyPI, stealing credentials and hiding inside trusted releases that many companies never knew they installed.

Mini Shai-Hulud turned routine software updates into a national infrastructure risk. Since at least April 29, 2026, the campaign has compromised packages across npm and PyPI, including SAP Cloud Application Programming and Cloud MTA Build Tool packages, intercom-client, and PyPI’s lightning package, then widened into TanStack, Mistral AI, UiPath, OpenSearch, Guardrails AI, and dozens more libraries that feed into business software, government contractor systems, and everyday apps.
The danger is not just that code was poisoned, but that the poison traveled through dependency chains most users never see. Security researchers at Socket said the malicious payload steals SSH keys, cloud credentials, Vault and GitHub tokens, npm tokens, and AI-tool configuration files, then encrypts the stolen data and uses compromised npm credentials to spread further. In some cases, it can persist through .claude/settings.json SessionStart hooks and .vscode/tasks.json, allowing the intrusion to survive ordinary cleanup.

A particularly concerning wave hit on May 11, 2026, when researchers said attackers abused GitHub Actions cache poisoning and npm’s OpenID Connect publishing path to push malicious versions with valid provenance. That made the compromise harder to spot because the packages arrived with the kind of release trail developers are trained to trust. Researchers said provenance alone was not enough to prove safety in this campaign.
The scale has varied by wave and by counting method, but the numbers have kept climbing. Researchers described one cluster with 42 TanStack packages and 84 malicious versions, while later tracking showed 160-plus, 169, 170-plus, and even 317 package artifacts across affected ecosystems. The spread has not been limited to one platform or one type of software team, which is part of what makes the incident so difficult to contain.
OpenAI said on May 13, 2026, that it found no evidence user data was accessed, production systems or intellectual property were compromised, or software was altered. The company said two employee devices were impacted and that it was rotating code-signing certificates, with macOS users asked to install an update by June 12, 2026. NHS England also issued a cyber alert on May 12, warning that hundreds of malicious package versions were affecting well-known projects and urging developers to pin known-good versions and follow remediation steps.
Wiz said the original Shai-Hulud wave appeared on September 15, 2025, and later returned with worm-like behavior and data-wiping functionality. Mini Shai-Hulud is the latest escalation in a campaign that shows how quietly a supply-chain attack can move upstream, then reach far downstream before most victims realize the code they trusted has already been touched.
This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.
Did this article answer your question?


