Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
Campaign
Summary
Hide ▲
Show ▼
The Mini Shai-Hulud supply-chain campaign linked to TeamPCP expanded into downstream victim reporting, including Grafana Labs. Grafana said its GitHub environment was accessed, its codebase was downloaded, and additional internal operational information was taken after malicious TanStack npm packages were consumed by its CI/CD environment. The company said it first saw the activity on May 11 and later discovered the unauthorized download on May 17; it also said there is no indication customer production systems or operations were compromised.
Related Happenings
TrapDoor cross-ecosystem supply-chain campaign
Campaign
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
TrapDoor cross-ecosystem supply-chain campaign
CampaignAbout this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
Laravel Lang organization hit by network compromise
Incident
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Laravel Lang organization hit by network compromise
IncidentAbout this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
GitHub data exposed after GitHub breach
Data Leak
First: 20.05.2026 11:14
Last: 20.05.2026 11:14
Sources 1
About this happening:
GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...
GitHub data exposed after GitHub breach
Data LeakAbout this happening: GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...
GitHub internal repositories private-code leak claim
Data Leak
First: 20.05.2026 08:08
Last: 20.05.2026 08:08
Sources 1
About this happening:
GitHub is facing a claimed leak of **internal repositories** after **TeamPCP** said it had access to about **4,000 private-code repos** and tried to sell samples. The alleged expo...
GitHub internal repositories private-code leak claim
Data LeakAbout this happening: GitHub is facing a claimed leak of **internal repositories** after **TeamPCP** said it had access to about **4,000 private-code repos** and tried to sell samples. The alleged expo...
Latest development: 21.05.2026 17:45
A malicious version of Nx Console 18.95.0 was uploaded to Visual Studio Marketplace and Open VSX on May 18, fetched an obfuscated payload, and harvested secrets from ~/.vault-token, /etc/vault/token, .npmrc, ghp_/gho_/ghs_ tokens, AWS metadata, and other local sources; GitHub said the poisoned VS Code extension led to unauthorized access to about 3800 internal repositories.
GitHub hit by network compromise
Incident
First: 20.05.2026 07:01
Last: 20.05.2026 07:01
Sources 1
About this happening:
GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...
GitHub hit by network compromise
IncidentAbout this happening: GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...
Latest development: 20.05.2026 13:45
GitHub detected unauthorized access tied to a poisoned Visual Studio Code (VS Code) extension on an employee device, removed the malicious extension version, isolated the endpoint, and began incident response to contain exposure across internal repositories.
Timeline
-
21.05.2026 11:00 1 articles · 6d ago
Grafana Labs reports GitHub codebase breach tied to Mini Shai-Hulud
Victim Impact UpdateGrafana Labs said its GitHub environment was accessed and its codebase downloaded, with additional internal operational information taken from GitHub repositories, after compromise linked to the Mini Shai-Hulud campaign and TanStack npm packages. Grafana said it first spotted malicious activity on May 11, discovered the unauthorized download on May 17, and after contact from the ransom gang rotated automation tokens, enabled enhanced monitoring, audited commits since the May 11 incident, and hardened its GitHub security posture, while saying there is no indication customer production systems or operations were compromised.
Show sources
- Grafana Labs Says Code Breach Stemmed from TanStack Attack — www.infosecurity-magazine.com — 21.05.2026 11:00
-
12.05.2026 17:45 1 articles · 15d ago
Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
Initial DisclosureThe operation began in **April 2026** with targeting of **SAP-related packages** before escalating into a broader multi-ecosystem supply-chain effort. The early phase established the release-pipeline abuse pattern later used in the **May 11, 2026** TanStack wave.
Show sources
- Mini Shai-Hulud Hits TanStack npm Packages — www.infosecurity-magazine.com — 12.05.2026 17:45
-
12.05.2026 17:45 1 articles · 15d ago
Mini Shai-Hulud compromises 42 TanStack npm packages
Exploitation ObservedOn May 11, 2026, TeamPCP-linked Mini Shai-Hulud published 84 malicious versions across 42 @tanstack/* npm packages by abusing legitimate release pipelines; the affected TanStack packages included @tanstack/react-router, and the payload added router_init.js and an optionalDependencies path to @tanstack/setup to steal CI credentials, including GitHub Actions secrets.
Show sources
- Mini Shai-Hulud Hits TanStack npm Packages — www.infosecurity-magazine.com — 12.05.2026 17:45