Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
Summary
Hide ▲
Show ▼
The Sha1-Hulud npm supply-chain campaign is a fresh second wave of Shai-Hulud-style activity that has compromised hundreds of npm packages. The malware runs during the preinstall phase, uses TruffleHog to steal NPM tokens, AWS/GCP/Azure credentials, and environment variables, and publishes stolen secrets to GitHub. In some cases, it also registers infected systems as self-hosted runners and can trigger catastrophic data destruction if it cannot obtain tokens or maintain persistence.
Related Happenings
Malware-Slop malicious npm file-theft campaign
Campaign
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Malware-Slop malicious npm file-theft campaign
CampaignAbout this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware Activity
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware ActivityAbout this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
GlassWorm supply-chain malware activity
Malware Activity
First: 27.05.2026 14:48
Last: 27.05.2026 14:48
Sources 1
About this happening:
The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
GlassWorm supply-chain malware activity
Malware ActivityAbout this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
TrapDoor trap-core.js credential-stealing package malware
Malware Activity
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor trap-core.js credential-stealing package malware
Malware ActivityAbout this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor cross-ecosystem supply-chain campaign
Campaign
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
TrapDoor cross-ecosystem supply-chain campaign
CampaignAbout this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
Timeline
-
12.05.2026 14:07 6 articles · 15d ago
Researchers identify fresh Mini Shai-Hulud npm package wave across TanStack
Campaign Scope UpdateResearchers at Socket Threat Research and Aikido identified a fresh wave of Mini Shai-Hulud compromised npm packages affecting the TanStack open source developer ecosystem, with Aikido counting 373 malicious package-version entries across 169 npm package names and Socket finding 84 compromised TanStack package artifacts. The malware steals credentials from developer machines and CI/CD runners, self-replicates through compromised publishing paths, and abuses trusted publishing with heavily obfuscated JavaScript payloads and Bun-based execution.
Show sources
- Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply Chain — www.darkreading.com — 12.05.2026 14:07
- TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS Updates — thehackernews.com — 15.05.2026 13:54
- Self-Replicating 'Shai-hulud' Worm Targets NPM Packages — www.darkreading.com — 16.09.2025 23:02
- How Cloud Service Disruptions Are Making Resilience Critical for Developers — www.darkreading.com — 25.09.2025 16:39
- Second Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft — thehackernews.com — 24.11.2025 15:03
- Mini Shai-Hulud Hits Hundreds of npm Packages in AntV Ecosystem — www.infosecurity-magazine.com — 20.05.2026 18:00
-
16.09.2025 08:00 1 articles · 8mo ago
Researchers disclose Shai-Hulud npm supply-chain campaign
Initial DisclosureResearchers reported the Shai-Hulud npm supply-chain campaign affecting more than 40 packages across multiple maintainers, with trojanized versions injecting bundle.js to run TruffleHog, validate npm tokens, use GitHub APIs, create GitHub Actions workflows, and exfiltrate secrets to webhook[.]site while self-propagating to downstream packages.
Show sources
- 40 npm Packages Compromised in Supply Chain Attack Using bundle.js to Steal Credentials — thehackernews.com — 16.09.2025 08:00