Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Shanhai666 malicious NuGet package sabotage activity

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

Nine malicious NuGet packages published under shanhai666 were found to contain dormant sabotage code that can disrupt .NET database operations and Siemens S7 PLC communications. The packages mix mostly legitimate functionality with hidden triggers that may activate years after publication. If triggered, the payload can kill the host process or corrupt PLC writes, creating operational risk for software and industrial environments.

Related Happenings

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
H score34 First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...

Latest development: 09.06.2026 18:42

On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.

Open Happening

BufferZoneCorp sleeper-package supply chain campaign

Campaign
H score42 First: 01.05.2026 12:43 Last: 01.05.2026 12:43 Sources 1

About this happening: The **BufferZoneCorp** software supply chain campaign is pushing **malicious Ruby gems and Go modules** that can steal credentials, tamper with **GitHub Actions**, and persist on...

Open Happening

Mini Shai-Hulud SAP-related npm supply-chain campaign

Campaign
H score50 First: 29.04.2026 19:26 Last: 29.04.2026 19:26 Sources 1

About this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...

Latest development: 12.05.2026 11:50

Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.

Open Happening

Telnyx Python package hit by data theft breach

Incident
H score33 First: 27.03.2026 18:53 Last: 27.03.2026 18:53 Sources 1

About this happening: The **telnyx** Python package was **compromised on PyPI** with **4.87.1** and **4.87.2**, exposing downstream importers to **credential theft** and **data exfiltration**. The mali...

Open Happening

Npm package ecosystem CanisterWorm exploitation wave

Exploitation Wave
H score28 First: 23.03.2026 10:31 Last: 23.03.2026 10:31 Sources 1

About this happening: Attackers expanded the **Trivy** compromise into a **self-propagating CanisterWorm** wave that hit **dozens of npm packages**, creating broad downstream supply-chain risk. The abu...

Open Happening

Timeline

  1. 07.11.2025 22:53 2 articles · 7mo ago

    Socket finds shanhai666 malicious NuGet packages with dormant sabotage code

    Initial Disclosure

    Nine malicious NuGet packages published under shanhai666 mix mostly legitimate .NET functionality with a hidden C# payload that targets database operations in SQL Server, PostgreSQL, and SQLite, and industrial communications through Sharp7 for Siemens S7 PLCs. The code uses date checks and probabilistic triggers tied to hardcoded trigger dates from August 8, 2027 through November 29, 2028, and Sharp7Extend can also terminate PLC communications or corrupt PLC writes.

    Show sources
    Open in new tab