Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
First reported
Last updated
Happening score
H score 40
4 unique sources, 5 articles

Summary

Hide ▲

The Shai-Hulud supply-chain campaign remains active across npm, PyPI, and Composer, with the latest reporting tying TeamPCP to both a claimed GitHub internal repository access investigation and a fresh compromise of the durabletask PyPI package. GitHub said it is investigating unauthorized access to its internal repositories after TeamPCP allegedly listed source code and internal organizations for sale, while the package attack delivered a Linux-only infostealer and worm-like propagation through AWS SSM and Kubernetes. The new package versions identified were 1.4.1, 1.4.2, and 1.4.3, and the payload fetches a second stage from check.git-service[.]com with fallback to t.m-kosche[.]com.

Related Happenings

Laravel Lang organization hit by network compromise

Incident
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...

Open Happening

Laravel Lang credential-stealer dropper delivered through malicious Composer packages

Malware Activity
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...

Open Happening

Packagist package.json hook supply chain attack campaign

Campaign
First: 23.05.2026 19:07 Last: 23.05.2026 19:07 Sources 1

About this happening: A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...

Open Happening

Megalodon GitHub CI/CD supply-chain campaign

Campaign
First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...

Open Happening

GitHub data exposed after GitHub breach

Data Leak
First: 20.05.2026 11:14 Last: 20.05.2026 11:14 Sources 1

About this happening: GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...

Open Happening

Timeline

  1. 12.05.2026 14:29 1 articles · 15d ago

    Malicious TanStack package wave spreads via stolen CI/CD credentials

    Exploitation Observed

    On 2026-05-11, threat actors published multiple malicious packages in TanStack npm namespaces and spread the same credential-stealing payload to other projects using stolen CI/CD credentials, while making the releases appear legitimate with valid OIDC tokens and SLSA Build Level 3 provenance attestations.

    Show sources
    Open in new tab
  2. 12.05.2026 14:29 2 articles · 15d ago

    Shai-Hulud analysis details payload stealth, persistence, and IOCs

    Technical Analysis Update

    On 2026-05-12, analyses identified a broad Shai-Hulud wave across npm, PyPI, and Composer that delivered the same credential-stealing payload through packages that looked legitimate because they carried valid SLSA provenance, valid Sigstore attestations, and legitimate GitHub Actions signatures, while some infections persisted through Claude Code hooks and VS Code auto-run tasks. Developers who installed affected packages were advised to treat GitHub, npm, AWS, Vault, and Kubernetes credentials as exposed, audit for router_runtime.js and setup.mjs, and block api.masscan.cloud, git-tanstack.com, and *.getsession.org.

    Show sources
    Open in new tab
  3. 25.11.2025 12:00 2 articles · 6mo ago

    Shai-Hulud second wave targets Zapier and PostHog packages

    Campaign Scope Update

    Security researchers said the Shai-Hulud "Second Coming" is targeting npm projects including Zapier and PostHog, has infected more than 700 packages with over 100 million downloads, and is scaling by creating new malicious package versions and attacker-controlled GitHub repositories. The new version can infect up to 100 npm packages, compared with 20 in the first wave.

    Show sources
    Open in new tab
  4. 24.09.2025 00:00 1 articles · 8mo ago

    GitHub hardens npm publishing after Shai-Hulud

    Mitigation Patch Update

    GitHub said it removed more than 500 compromised npm packages, blocked new packages carrying Shai-Hulud indicators of compromise, and will harden npm publishing by requiring local package publishing with 2FA, limiting granular tokens to seven days, favoring Trusted Publishers, deprecating classic tokens and TOTP, and removing the option to bypass 2FA for local publishing.

    Show sources
    Open in new tab