Shai-Hulud public GitHub repository credential exposure
Data Leak
Summary
Hide ▲
Show ▼
Shai-Hulud stole developer credentials that were later exposed in public GitHub repositories, turning a theft phase into a public leak of access data. The exposed material involved accounts with publishing rights, which raises the risk of package tampering and impersonation. The leak matters because public publication makes the stolen information easier to copy, redistribute, and reuse.
Related Happenings
Congress demands CISA answers on GitHub credential leak
Public Sector Action
First: 22.05.2026 19:34
Last: 22.05.2026 19:34
Sources 1
About this happening:
**Lawmakers in both houses of Congress** demanded answers from **CISA** after a contractor exposed **AWS GovCloud keys** and other secrets on **public GitHub**. The letters presse...
Congress demands CISA answers on GitHub credential leak
Public Sector ActionAbout this happening: **Lawmakers in both houses of Congress** demanded answers from **CISA** after a contractor exposed **AWS GovCloud keys** and other secrets on **public GitHub**. The letters presse...
CISA contractor GitHub repository exposed internal credentials
Data Leak
First: 18.05.2026 23:48
Last: 18.05.2026 23:48
Sources 1
About this happening:
A **CISA contractor** left a public **GitHub repository** exposing **AWS GovCloud credentials** and internal access material, creating a serious **data leak** involving sensitive...
CISA contractor GitHub repository exposed internal credentials
Data LeakAbout this happening: A **CISA contractor** left a public **GitHub repository** exposing **AWS GovCloud credentials** and internal access material, creating a serious **data leak** involving sensitive...
Latest development: 22.05.2026 19:34
On May 19, Sen. Maggie Hassan and Rep. Bennie Thompson, with Rep. Delia Ramirez co-signing Thompson’s letter, sent separate letters to CISA demanding answers about the Private-CISA GitHub leak and warning that the credential exposure raised serious concerns about CISA’s internal policies, contract support, and security culture.
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
How related:
A threat actor using the account deadcode09284814 published four malicious packages on npm and embedded one of them with a non-obfuscated version of Shai-Hulud that targeted developer credentials, secrets, cryptocurrency wallet data, and account information.
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityHow related: A threat actor using the account deadcode09284814 published four malicious packages on npm and embedded one of them with a non-obfuscated version of Shai-Hulud that targeted developer credentials, secrets, cryptocurrency wallet data, and account information.
About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
Campaign
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
How related:
According to the researchers, the chalk-tempalte package contains a clone of the Shai-Hulud malware attributed to the TeamPCP hacker group that is reponsible for the recent Mini Shai-Hulud software supply-chain attack.
About this happening:
The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
CampaignHow related: According to the researchers, the chalk-tempalte package contains a clone of the Shai-Hulud malware attributed to the TeamPCP hacker group that is reponsible for the recent Mini Shai-Hulud software supply-chain attack.
About this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
Timeline
-
18.05.2026 20:28 2 articles · 9d ago
Stolen developer credentials exposed in public GitHub repositories
Initial DisclosureStolen developer credentials for accounts with publishing rights were exposed in public GitHub repositories, creating a public leak of access data that could be copied and reused for package tampering and impersonation.
Show sources
- Leaked Shai-Hulud malware fuels new npm infostealer campaign — www.bleepingcomputer.com — 18.05.2026 20:28
- Leaked Shai-Hulud malware fuels new npm infostealer campaign — www.bleepingcomputer.com — 18.05.2026 20:28