Find notable cyber news and cases, enriched with sources, timelines, and signals.

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
First reported
Last updated
Happening score
H score 56
4 unique sources, 6 articles

Summary

Hide ▲

The Shai-Hulud supply-chain campaign now includes a fresh PyPI wave that compromised 19 packages across 37 malicious releases, with popular bioinformatics tools such as Dynamo, Spateo, CoolBox, U-FISH, and Napari-UFISH among the affected packages. Socket said the malware uses a malicious **`*-setup.pth` startup hook and `_index.js` to trigger Python execution, download the Bun JavaScript runtime from GitHub, and steal developer secrets. The activity is being tracked alongside earlier Shai-Hulud operations because the techniques and exfiltration patterns overlap, including GitHub repositories for secret exfiltration and persistence across Linux and macOS**.

Related Happenings

North Korean Contagious Interview PolinRider supply-chain campaign

Campaign
H score51 First: 04.07.2026 14:17 Last: 04.07.2026 14:17 Sources 1

About this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....

Shai-Hulud PyPI supply-chain malware activity

Malware Activity
H score22 First: 08.06.2026 23:41 Last: 08.06.2026 23:41 Sources 1

How related: Hackers compromised 19 packages on the PyPI, collectively downloaded hundreds of thousands of times, in a new Shai-Hulud supply-chain attack that delivered malware designed to steal developer secrets.

About this happening: The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...

Asteroiddao hit by network compromise

Incident
H score13 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **asteroiddao** suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider **supply-chain attack**. The account was used t...

IronWorm npm supply-chain infection and self-propagation

Malware Activity
H score15 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...

Miasma GitHub and npm supply-chain campaign

Campaign
H score26 First: 02.06.2026 00:38 Last: 02.06.2026 00:38 Sources 1

About this happening: The **Miasma** supply-chain campaign has expanded into **npm** and the **Go ecosystem**, with **malicious npm releases** affecting **LeoPlatform** and **RStreams** packages and a...

Latest development: 05.06.2026 21:05

A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.

Timeline

  1. 12.05.2026 14:29 1 articles · 1mo ago

    Malicious TanStack package wave spreads via stolen CI/CD credentials

    Exploitation Observed

    On 2026-05-11, threat actors published multiple malicious packages in TanStack npm namespaces and spread the same credential-stealing payload to other projects using stolen CI/CD credentials, while making the releases appear legitimate with valid OIDC tokens and SLSA Build Level 3 provenance attestations.

    Show sources
  2. 12.05.2026 14:29 2 articles · 1mo ago

    Shai-Hulud analysis details payload stealth, persistence, and IOCs

    Technical Analysis Update

    On 2026-05-12, analyses identified a broad Shai-Hulud wave across npm, PyPI, and Composer that delivered the same credential-stealing payload through packages that looked legitimate because they carried valid SLSA provenance, valid Sigstore attestations, and legitimate GitHub Actions signatures, while some infections persisted through Claude Code hooks and VS Code auto-run tasks. Developers who installed affected packages were advised to treat GitHub, npm, AWS, Vault, and Kubernetes credentials as exposed, audit for router_runtime.js and setup.mjs, and block api.masscan.cloud, git-tanstack.com, and *.getsession.org.

    Show sources
  3. 25.11.2025 12:00 3 articles · 7mo ago

    Shai-Hulud second wave targets Zapier and PostHog packages

    Campaign Scope Update

    Security researchers said the Shai-Hulud "Second Coming" is targeting npm projects including Zapier and PostHog, has infected more than 700 packages with over 100 million downloads, and is scaling by creating new malicious package versions and attacker-controlled GitHub repositories. The new version can infect up to 100 npm packages, compared with 20 in the first wave.

    Show sources
  4. 24.09.2025 00:00 1 articles · 9mo ago

    GitHub hardens npm publishing after Shai-Hulud

    Mitigation Patch Update

    GitHub said it removed more than 500 compromised npm packages, blocked new packages carrying Shai-Hulud indicators of compromise, and will harden npm publishing by requiring local package publishing with 2FA, limiting granular tokens to seven days, favoring Trusted Publishers, deprecating classic tokens and TOTP, and removing the option to bypass 2FA for local publishing.

    Show sources