Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
Campaign
Summary
Hide ▲
Show ▼
The Mini Shai-Hulud supply-chain campaign linked to TeamPCP expanded into downstream victim reporting, including Grafana Labs. Grafana said its GitHub environment was accessed, its codebase was downloaded, and additional internal operational information was taken after malicious TanStack npm packages were consumed by its CI/CD environment. The company said it first saw the activity on May 11 and later discovered the unauthorized download on May 17; it also said there is no indication customer production systems or operations were compromised.
Related Happenings
North Korean Contagious Interview PolinRider supply-chain campaign
Campaign
H score51
First: 04.07.2026 14:17
Last: 04.07.2026 14:17
Sources 1
About this happening:
The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
North Korean Contagious Interview PolinRider supply-chain campaign
CampaignAbout this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
Codfish/semantic-release-action hit by network compromise
Incident
H score21
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
Codfish/semantic-release-action hit by network compromise
IncidentAbout this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
Sapphire Sleet Mastra npm supply-chain campaign
Campaign
H score42
First: 20.06.2026 17:09
Last: 20.06.2026 17:09
Sources 1
About this happening:
The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Sapphire Sleet Mastra npm supply-chain campaign
CampaignAbout this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Mastra @mastra/* npm packages hit by network compromise
Incident
H score47
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
**Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Mastra @mastra/* npm packages hit by network compromise
IncidentAbout this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Latest development: 20.06.2026 17:09
Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.
Microsoft hit by cyberattack
Incident
H score68
First: 09.06.2026 18:42
Last: 09.06.2026 18:42
Sources 1
About this happening:
A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...
Microsoft hit by cyberattack
IncidentAbout this happening: A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...
Timeline
-
21.05.2026 11:00 1 articles · 1mo ago
Grafana Labs reports GitHub codebase breach tied to Mini Shai-Hulud
Victim Impact UpdateGrafana Labs said its GitHub environment was accessed and its codebase downloaded, with additional internal operational information taken from GitHub repositories, after compromise linked to the Mini Shai-Hulud campaign and TanStack npm packages. Grafana said it first spotted malicious activity on May 11, discovered the unauthorized download on May 17, and after contact from the ransom gang rotated automation tokens, enabled enhanced monitoring, audited commits since the May 11 incident, and hardened its GitHub security posture, while saying there is no indication customer production systems or operations were compromised.
Show sources
- Grafana Labs Says Code Breach Stemmed from TanStack Attack — www.infosecurity-magazine.com — 21.05.2026 11:00
-
12.05.2026 17:45 1 articles · 1mo ago
Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
Initial DisclosureThe operation began in **April 2026** with targeting of **SAP-related packages** before escalating into a broader multi-ecosystem supply-chain effort. The early phase established the release-pipeline abuse pattern later used in the **May 11, 2026** TanStack wave.
Show sources
- Mini Shai-Hulud Hits TanStack npm Packages — www.infosecurity-magazine.com — 12.05.2026 17:45
-
12.05.2026 17:45 1 articles · 1mo ago
Mini Shai-Hulud compromises 42 TanStack npm packages
Exploitation ObservedOn May 11, 2026, TeamPCP-linked Mini Shai-Hulud published 84 malicious versions across 42 @tanstack/* npm packages by abusing legitimate release pipelines; the affected TanStack packages included @tanstack/react-router, and the payload added router_init.js and an optionalDependencies path to @tanstack/setup to steal CI credentials, including GitHub Actions secrets.
Show sources
- Mini Shai-Hulud Hits TanStack npm Packages — www.infosecurity-magazine.com — 12.05.2026 17:45