Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Sha1-Hulud supply-chain campaign expands secret theft across npm and GitHub

Campaign
First reported
Last updated
Happening score
H score 49
5 unique sources, 7 articles

Summary

Hide ▲

Shai-Hulud is a self-replicating npm supply-chain worm that first appeared in September 2025 and spread by stealing developer secrets and GitHub tokens from compromised accounts. The campaign used trojanized packages to publish new malicious versions, then expanded in a second wave that affected more than 700 npm packages with over 100 million downloads. Trust Wallet later said a December 24 compromise of its Chrome extension was likely tied to the campaign and led to roughly $8.5 million stolen from more than 2,500 crypto wallets. Researchers also warned the operation could turn CI/CD and package publishing into a distribution mechanism for broader compromise across the software supply chain.

Related Happenings

TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline

Threat Actor Meta
First: 18.05.2026 22:53 Last: 18.05.2026 22:53 Sources 1

About this happening: **TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

How related: At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn.

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers

Malware Activity
First: 18.05.2026 11:57 Last: 18.05.2026 11:57 Sources 1

About this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...

Open Happening

Grafana Labs Says GitHub hit by cyberattack

Incident
First: 17.05.2026 10:13 Last: 17.05.2026 10:13 Sources 1

About this happening: A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...

Open Happening

Inactive maintainer account 'atiertant' hit by network compromise

Incident
First: 15.05.2026 20:10 Last: 15.05.2026 20:10 Sources 1

About this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...

Open Happening

Timeline

  1. 26.01.2026 16:02 1 articles · 4mo ago

    Koi reports PackageGate Git dependency bypass in NPM defenses

    Technical Analysis Update

    Koi Security found PackageGate flaws in pnpm, vlt, Bun, and NPM that let a malicious `.npmrc` override the git binary path during Git repository installs, bypass `--ignore-scripts=true` and trigger full code execution. Bun patched the flaws in version 1.3.5, vlt fixed them after Koi's report, pnpm released fixes for CVE-2025-69263 and CVE-2025-69264, and NPM closed the report as "works as expected."

    Show sources
    Open in new tab
  2. 02.01.2026 16:19 3 articles · 4mo ago

    Sha1-Hulud supply-chain campaign expands secret theft across npm and GitHub

    Initial Disclosure

    In **early September**, the campaign's first wave used a **self-propagating payload** to compromise **over 180 npm packages** and begin stealing **developer secrets** and **API keys**. That opening phase established the compromise-and-publish pattern later repeated at larger scale.

    Show sources
    Open in new tab
  3. 02.01.2026 16:19 1 articles · 4mo ago

    Trust Wallet compromise linked to Sha1-Hulud campaign

    Victim Impact Update

    Trust Wallet said a December 24 compromise of its Chrome extension was likely tied to Sha1-Hulud and led to roughly $8.5 million stolen from more than 2,500 crypto wallets after attackers added malicious JavaScript to version 2.68.0, exposed GitHub secrets, and used a leaked Chrome Web Store API key to publish trojanized builds.

    Show sources
    Open in new tab
  4. 25.11.2025 12:00 2 articles · 6mo ago

    Shai-Hulud second wave expands across npm

    Campaign Scope Update

    The Shai-Hulud "Second Coming" is targeting popular projects such as Zapier and PostHog, and Wiz Security said that as of yesterday it had already infected more than 700 npm packages with over 100 million downloads. GitHub is removing attacker-created repositories while malicious packages are being removed from npm as the campaign scales rapidly.

    Show sources
    Open in new tab
  5. 23.09.2025 12:20 1 articles · 8mo ago

    GitHub tightens npm publishing and 2FA controls

    Mitigation Patch Update

    GitHub announced upcoming npm authentication and publishing changes in response to recent supply chain attacks including Shai-Hulud, adding required two-factor authentication (2FA) for local publishing, shortening granular publishing tokens to seven days, expanding trusted publishing, defaulting publishing access away from tokens, and removing the option to bypass 2FA.

    Show sources
    Open in new tab