Find notable cyber news and cases, enriched with sources, timelines, and signals.

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First reported
Last updated
Happening score
H score 68
4 unique sources, 13 articles

Summary

Hide ▲

The Mini Shai-Hulud npm malware activity now includes the Miasma variant affecting Microsoft GitHub repositories in a self-replicating supply-chain campaign. On June 5, Microsoft removed 73 repositories across Azure, microsoft, Azure-Samples, and MicrosoftDocs after concerns about potential malicious content tied to the campaign, and GitHub later restored the repositories. The disruption broke workflows that depended on Azure/functions-action, and Microsoft said it notified a small number of customers who may have pulled affected content.

Related Happenings

North Korean Contagious Interview PolinRider supply-chain campaign

Campaign
H score51 First: 04.07.2026 14:17 Last: 04.07.2026 14:17 Sources 1

About this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....

Easy-day-js Mastra package-publishing campaign

Campaign
H score30 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...

Mastra @mastra/* npm packages hit by network compromise

Incident
H score47 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...

Latest development: 20.06.2026 17:09

Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.

Miasma supply-chain malware activity

Malware Activity
H score34 First: 10.06.2026 23:27 Last: 10.06.2026 23:27 Sources 1

About this happening: The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...

Miasma software supply chain campaign expands to new PyPI wave

Campaign
H score29 First: 09.06.2026 19:34 Last: 09.06.2026 19:34 Sources 1

How related: The findings are the latest in a sustained software supply chain campaign that has breached widely used open-source packages to plant malware capable of propagating to downstream users and beyond.

About this happening: The **Miasma** supply-chain campaign has expanded into a new **PyPI** wave, increasing the risk that developers and downstream users will ingest **information-stealing malware** t...

Timeline

  1. 09.06.2026 18:42 2 articles · 1mo ago

    Microsoft removes 73 GitHub repositories after Miasma compromise

    Victim Impact Update

    On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.

    Show sources
  2. 12.05.2026 14:07 10 articles · 1mo ago

    Researchers identify fresh Mini Shai-Hulud npm package wave across TanStack

    Campaign Scope Update

    Researchers at Socket Threat Research and Aikido identified a fresh wave of Mini Shai-Hulud compromised npm packages affecting the TanStack open source developer ecosystem, with Aikido counting 373 malicious package-version entries across 169 npm package names and Socket finding 84 compromised TanStack package artifacts. The malware steals credentials from developer machines and CI/CD runners, self-replicates through compromised publishing paths, and abuses trusted publishing with heavily obfuscated JavaScript payloads and Bun-based execution.

    Show sources
  3. 16.09.2025 08:00 1 articles · 9mo ago

    Researchers disclose Shai-Hulud npm supply-chain campaign

    Initial Disclosure

    Researchers reported the Shai-Hulud npm supply-chain campaign affecting more than 40 packages across multiple maintainers, with trojanized versions injecting bundle.js to run TruffleHog, validate npm tokens, use GitHub APIs, create GitHub Actions workflows, and exfiltrate secrets to webhook[.]site while self-propagating to downstream packages.

    Show sources