Inactive maintainer account 'atiertant' hit by network compromise
Incident
Summary
Hide ▲
Show ▼
The inactive maintainer account 'atiertant' for node-ipc was compromised, enabling malicious package releases that could steal credentials from downstream installations. Researchers confirmed [email protected], [email protected], and [email protected] as malicious. The compromise turned a trusted npm publishing path into a supply-chain risk for developers using the package.
Related Happenings
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Node-ipc malicious versions with stealer/backdoor payload
Malware Activity
First: 14.05.2026 20:22
Last: 14.05.2026 20:22
Sources 1
How related:
Hackers have injected credential-stealing malware into newly published versions of node-ipc, a popular inter-process communication package, in a new supply chain attack targeting npm.
About this happening:
Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
Node-ipc malicious versions with stealer/backdoor payload
Malware ActivityHow related: Hackers have injected credential-stealing malware into newly published versions of node-ipc, a popular inter-process communication package, in a new supply chain attack targeting npm.
About this happening: Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
Campaign
First: 12.05.2026 17:45
Last: 12.05.2026 17:45
Sources 1
About this happening:
The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...
Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
CampaignAbout this happening: The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...
Latest development: 21.05.2026 11:00
Grafana Labs said its GitHub environment was accessed and its codebase downloaded, with additional internal operational information taken from GitHub repositories, after compromise linked to the Mini Shai-Hulud campaign and TanStack npm packages. Grafana said it first spotted malicious activity on May 11, discovered the unauthorized download on May 17, and after contact from the ransom gang rotated automation tokens, enabled enhanced monitoring, audited commits since the May 11 incident, and hardened its GitHub security posture, while saying there is no indication customer production systems or operations were compromised.
TanStack hit by network compromise
Incident
First: 12.05.2026 17:45
Last: 12.05.2026 17:45
Sources 1
About this happening:
**TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...
TanStack hit by network compromise
IncidentAbout this happening: **TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...
Latest development: 21.05.2026 11:00
On May 17, 2026, Grafana Labs said an unauthorized attacker had downloaded its codebase after accessing the firm's GitHub environment, and the company later said additional internal operational information and business contact names and email addresses were taken from its GitHub repositories; Grafana Labs said there was no indication that customer production systems or the Grafana Cloud platform were compromised.
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Timeline
-
15.05.2026 20:10 2 articles · 12d ago
Compromised node-ipc publishing account enables malicious npm releases
Initial DisclosureThe inactive maintainer account 'atiertant' for node-ipc was compromised, allowing newly published npm versions [email protected], [email protected], and [email protected] to carry credential-stealing malware that runs from node-ipc.cjs and was detected by application security researchers.
Show sources
- Popular node-ipc npm package compromised to steal credentials — www.bleepingcomputer.com — 15.05.2026 20:10
- Popular node-ipc npm package compromised to steal credentials — www.bleepingcomputer.com — 15.05.2026 20:10