Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
Summary
Hide ▲
Show ▼
The Mini Shai-Hulud npm malware activity now includes the Miasma variant affecting Microsoft GitHub repositories in a self-replicating supply-chain campaign. On June 5, Microsoft removed 73 repositories across Azure, microsoft, Azure-Samples, and MicrosoftDocs after concerns about potential malicious content tied to the campaign, and GitHub later restored the repositories. The disruption broke workflows that depended on Azure/functions-action, and Microsoft said it notified a small number of customers who may have pulled affected content.
Related Happenings
North Korean Contagious Interview PolinRider supply-chain campaign
Campaign
H score51
First: 04.07.2026 14:17
Last: 04.07.2026 14:17
Sources 1
About this happening:
The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
North Korean Contagious Interview PolinRider supply-chain campaign
CampaignAbout this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
Easy-day-js Mastra package-publishing campaign
Campaign
H score30
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Easy-day-js Mastra package-publishing campaign
CampaignAbout this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Mastra @mastra/* npm packages hit by network compromise
Incident
H score47
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
**Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Mastra @mastra/* npm packages hit by network compromise
IncidentAbout this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Latest development: 20.06.2026 17:09
Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.
Miasma supply-chain malware activity
Malware Activity
H score34
First: 10.06.2026 23:27
Last: 10.06.2026 23:27
Sources 1
About this happening:
The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...
Miasma supply-chain malware activity
Malware ActivityAbout this happening: The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...
Miasma software supply chain campaign expands to new PyPI wave
Campaign
H score29
First: 09.06.2026 19:34
Last: 09.06.2026 19:34
Sources 1
How related:
The findings are the latest in a sustained software supply chain campaign that has breached widely used open-source packages to plant malware capable of propagating to downstream users and beyond.
About this happening:
The **Miasma** supply-chain campaign has expanded into a new **PyPI** wave, increasing the risk that developers and downstream users will ingest **information-stealing malware** t...
Miasma software supply chain campaign expands to new PyPI wave
CampaignHow related: The findings are the latest in a sustained software supply chain campaign that has breached widely used open-source packages to plant malware capable of propagating to downstream users and beyond.
About this happening: The **Miasma** supply-chain campaign has expanded into a new **PyPI** wave, increasing the risk that developers and downstream users will ingest **information-stealing malware** t...
Timeline
-
09.06.2026 18:42 2 articles · 1mo ago
Microsoft removes 73 GitHub repositories after Miasma compromise
Victim Impact UpdateOn June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
Show sources
- GitHub disables Microsoft repos pushing password-stealing malware — www.bleepingcomputer.com — 09.06.2026 18:42
- Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues — thehackernews.com — 09.06.2026 19:34
-
12.05.2026 14:07 10 articles · 1mo ago
Researchers identify fresh Mini Shai-Hulud npm package wave across TanStack
Campaign Scope UpdateResearchers at Socket Threat Research and Aikido identified a fresh wave of Mini Shai-Hulud compromised npm packages affecting the TanStack open source developer ecosystem, with Aikido counting 373 malicious package-version entries across 169 npm package names and Socket finding 84 compromised TanStack package artifacts. The malware steals credentials from developer machines and CI/CD runners, self-replicates through compromised publishing paths, and abuses trusted publishing with heavily obfuscated JavaScript payloads and Bun-based execution.
Show sources
- Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply Chain — www.darkreading.com — 12.05.2026 14:07
- TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS Updates — thehackernews.com — 15.05.2026 13:54
- Self-Replicating 'Shai-hulud' Worm Targets NPM Packages — www.darkreading.com — 16.09.2025 23:02
- How Cloud Service Disruptions Are Making Resilience Critical for Developers — www.darkreading.com — 25.09.2025 16:39
- Second Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft — thehackernews.com — 24.11.2025 15:03
- Mini Shai-Hulud Hits Hundreds of npm Packages in AntV Ecosystem — www.infosecurity-magazine.com — 20.05.2026 18:00
- Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm — thehackernews.com — 01.06.2026 20:40
- Red Hat npm packages compromised to steal developer credentials — www.bleepingcomputer.com — 02.06.2026 00:38
- Attackers Hijack Red Hat npm Scope to Steal Cloud Secrets — www.infosecurity-magazine.com — 02.06.2026 13:00
- Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack — thehackernews.com — 06.06.2026 09:58
-
16.09.2025 08:00 1 articles · 9mo ago
Researchers disclose Shai-Hulud npm supply-chain campaign
Initial DisclosureResearchers reported the Shai-Hulud npm supply-chain campaign affecting more than 40 packages across multiple maintainers, with trojanized versions injecting bundle.js to run TruffleHog, validate npm tokens, use GitHub APIs, create GitHub Actions workflows, and exfiltrate secrets to webhook[.]site while self-propagating to downstream packages.
Show sources
- 40 npm Packages Compromised in Supply Chain Attack Using bundle.js to Steal Credentials — thehackernews.com — 16.09.2025 08:00