Eslint-plugin-unicorn-ts-2 version 1.2.1 supply-chain malware activity
Malware Activity
Summary
Hide ▲
Show ▼
The eslint-plugin-unicorn-ts-2 npm package was identified as a malicious release that exposed developers to supply-chain compromise. Its 1.2.1 version used a post-install hook to run automatically after installation. The package harvested environment variables and sent them to a Pipedream webhook. Earlier malicious versions dating back to 1.1.3 and the package’s continued availability made the abuse more persistent.
Related Happenings
Shai-Hulud worm clone activity on NPM
Malware Activity
H score69
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
Campaign
H score45
First: 12.05.2026 17:45
Last: 12.05.2026 17:45
Sources 1
About this happening:
The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...
Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
CampaignAbout this happening: The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...
Latest development: 21.05.2026 11:00
Grafana Labs said its GitHub environment was accessed and its codebase downloaded, with additional internal operational information taken from GitHub repositories, after compromise linked to the Mini Shai-Hulud campaign and TanStack npm packages. Grafana said it first spotted malicious activity on May 11, discovered the unauthorized download on May 17, and after contact from the ransom gang rotated automation tokens, enabled enhanced monitoring, audited commits since the May 11 incident, and hardened its GitHub security posture, while saying there is no indication customer production systems or operations were compromised.
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
H score56
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score68
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
Npm supply-chain worm that steals publishing tokens and self-propagates
Malware Activity
H score34
First: 22.04.2026 15:57
Last: 22.04.2026 15:57
Sources 1
About this happening:
A **new npm supply-chain worm** is stealing **developer publishing tokens** and using them to **self-propagate** through republished packages, creating the risk of broader comprom...
Npm supply-chain worm that steals publishing tokens and self-propagates
Malware ActivityAbout this happening: A **new npm supply-chain worm** is stealing **developer publishing tokens** and using them to **self-propagate** through republished packages, creating the risk of broader comprom...
Timeline
-
01.12.2025 17:00 2 articles · 7mo ago
Eslint-plugin-unicorn-ts-2 version 1.2.1 supply-chain malware activity
Initial DisclosureThe initial stage was a **typosquatted npm package** that imitated **eslint-plugin-unicorn** while hiding malicious code. Installation triggered automatic execution, enabling immediate **environment-variable theft** and outbound exfiltration.
Show sources
- Malware Manipulates AI Detection in Latest npm Package Breach — www.infosecurity-magazine.com — 01.12.2025 17:00
- Malicious npm Package Uses Hidden Prompt and Script to Evade AI Security Tools — thehackernews.com — 02.12.2025 16:17