Find notable cyber news and cases, enriched with sources, timelines, and signals.

TeamPCP Mini Shai-Hulud npm supply-chain campaign

Campaign
First reported
Last updated
Happening score
H score 75
3 unique sources, 6 articles

Summary

Hide ▲

The TeamPCP-linked Mini Shai-Hulud campaign is an active npm supply-chain operation that steals developer credentials and abuses trusted publishing paths to spread trojanized packages. A new Miasma wave compromised more than 30 npm packages in Red Hat's @redhat-cloud-services namespace and used preinstall hooks to steal GitHub Actions secrets, cloud credentials, SSH keys, npm tokens, and other sensitive files. Red Hat said it removed the affected packages and has not identified impact to customer, partner, or production environments, while the wider campaign has already compromised 309 GitHub repositories.

Related Happenings

GitHub npm version 12 hardens installs and token management

Security Tool/Service
H score11 First: 09.07.2026 19:49 Last: 09.07.2026 19:49 Sources 1

About this happening: **GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...

Malicious npm and PyPI payment SDK typosquat packages

Malware Activity
H score40 First: 09.07.2026 18:09 Last: 09.07.2026 18:09 Sources 1

About this happening: The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...

North Korean Contagious Interview PolinRider supply-chain campaign

Campaign
H score51 First: 04.07.2026 14:17 Last: 04.07.2026 14:17 Sources 1

About this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....

Sapphire Sleet Mastra npm supply-chain campaign

Campaign
H score42 First: 20.06.2026 17:09 Last: 20.06.2026 17:09 Sources 1

About this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...

Easy-day-js Mastra package-publishing campaign

Campaign
H score30 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...

Timeline

  1. 12.05.2026 14:07 2 articles · 1mo ago

    Mini Shai-Hulud fresh wave compromises TanStack npm packages

    Initial Disclosure

    Researchers disclosed a fresh wave of TeamPCP-linked Mini Shai-Hulud infections across compromised npm packages in the TanStack developer ecosystem, including 373 malicious package-version entries across 169 npm package names and 84 compromised TanStack npm package artifacts. The malware steals credentials from developer machines and CI/CD runners, then abuses trusted publishing paths, GitHub Actions/OIDC, and maintainers’ publishing credentials to push trojanized package updates.

    Show sources
  2. 26.11.2025 20:08 4 articles · 7mo ago

    Shai-Hulud v2 expands from npm into Maven packages

    Campaign Scope Update

    Shai-Hulud v2 expanded from npm into Maven through org.mvnpm:posthog-node:4.18.1, which contained setup_bun.js and bun_environment.js. The campaign also abused GitHub Actions CI misconfigurations in projects associated with PostHog, AsyncAPI, and Postman, and the broader operation was linked to more than 28,000 affected repositories and widespread secret theft.

    Show sources