TeamPCP Mini Shai-Hulud npm supply-chain campaign
Campaign
Summary
Hide ▲
Show ▼
The TeamPCP-linked Mini Shai-Hulud campaign is an active npm supply-chain operation that steals developer credentials and abuses trusted publishing paths to spread trojanized packages. A new Miasma wave compromised more than 30 npm packages in Red Hat's @redhat-cloud-services namespace and used preinstall hooks to steal GitHub Actions secrets, cloud credentials, SSH keys, npm tokens, and other sensitive files. Red Hat said it removed the affected packages and has not identified impact to customer, partner, or production environments, while the wider campaign has already compromised 309 GitHub repositories.
Related Happenings
GitHub npm version 12 hardens installs and token management
Security Tool/Service
H score11
First: 09.07.2026 19:49
Last: 09.07.2026 19:49
Sources 1
About this happening:
**GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...
GitHub npm version 12 hardens installs and token management
Security Tool/ServiceAbout this happening: **GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...
Malicious npm and PyPI payment SDK typosquat packages
Malware Activity
H score40
First: 09.07.2026 18:09
Last: 09.07.2026 18:09
Sources 1
About this happening:
The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...
Malicious npm and PyPI payment SDK typosquat packages
Malware ActivityAbout this happening: The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...
North Korean Contagious Interview PolinRider supply-chain campaign
Campaign
H score51
First: 04.07.2026 14:17
Last: 04.07.2026 14:17
Sources 1
About this happening:
The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
North Korean Contagious Interview PolinRider supply-chain campaign
CampaignAbout this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
Sapphire Sleet Mastra npm supply-chain campaign
Campaign
H score42
First: 20.06.2026 17:09
Last: 20.06.2026 17:09
Sources 1
About this happening:
The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Sapphire Sleet Mastra npm supply-chain campaign
CampaignAbout this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Easy-day-js Mastra package-publishing campaign
Campaign
H score30
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Easy-day-js Mastra package-publishing campaign
CampaignAbout this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Timeline
-
12.05.2026 14:07 2 articles · 1mo ago
Mini Shai-Hulud fresh wave compromises TanStack npm packages
Initial DisclosureResearchers disclosed a fresh wave of TeamPCP-linked Mini Shai-Hulud infections across compromised npm packages in the TanStack developer ecosystem, including 373 malicious package-version entries across 169 npm package names and 84 compromised TanStack npm package artifacts. The malware steals credentials from developer machines and CI/CD runners, then abuses trusted publishing paths, GitHub Actions/OIDC, and maintainers’ publishing credentials to push trojanized package updates.
Show sources
- Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply Chain — www.darkreading.com — 12.05.2026 14:07
- Leaked Shai-Hulud malware fuels new npm infostealer campaign — www.bleepingcomputer.com — 18.05.2026 20:28
-
26.11.2025 20:08 4 articles · 7mo ago
Shai-Hulud v2 expands from npm into Maven packages
Campaign Scope UpdateShai-Hulud v2 expanded from npm into Maven through org.mvnpm:posthog-node:4.18.1, which contained setup_bun.js and bun_environment.js. The campaign also abused GitHub Actions CI misconfigurations in projects associated with PostHog, AsyncAPI, and Postman, and the broader operation was linked to more than 28,000 affected repositories and widespread secret theft.
Show sources
- Shai-Hulud v2 Campaign Spreads From npm to Maven, Exposing Thousands of Secrets — thehackernews.com — 26.11.2025 20:08
- GitHub links repo breach to TanStack npm supply-chain attack — www.bleepingcomputer.com — 21.05.2026 09:54
- Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm — thehackernews.com — 01.06.2026 20:40
- Red Hat npm packages compromised to steal developer credentials — www.bleepingcomputer.com — 02.06.2026 00:38