Mini Shai-Hulud: npm worm devours the supply chain

7 min read

On May 11, 2026, Microsoft Security Research reports a new wave of the npm worm Shai-Hulud: 170 affected npm packages and two PyPI packages, spread across 404 malicious package versions. This marks the first coordinated campaign to hit both npm and PyPI simultaneously. What’s striking isn’t the number-it’s the design. Mini Shai-Hulud steals credentials and then spreads itself further, using the very same trusted publishing pipelines that hold modern software supply chains together.

Key Takeaways

The worm propagates itself: Stolen OIDC and publishing rights generate new malicious releases under legitimate maintainer identities-no fresh phishing access required.
Persistence beyond the package: The malware sometimes embeds itself in developer configurations, remaining active even after the infected package is removed.
Tokens are the gateway: Those using npm Trusted Publishing and WebAuthn instead of long-lived tokens close the primary infection vector.

A second wave, larger and more coordinated

Shai-Hulud isn’t a new name. Between November 24 and December 1, 2025, the first wave compromised hundreds of npm packages, including components from ecosystems like Zapier, PostHog, Postman, ENS Domains, and AsyncAPI. The variant Microsoft documented in early May 2026, dubbed Mini Shai-Hulud, takes it a step further. It targets high-profile projects like TanStack, Mistral AI, UiPath, OpenSearch, and AntV-and for the first time, spans both major registries.

The 404 malicious versions refer to the number of tampered package releases across the 170 npm and two PyPI packages. The figure has nothing to do with HTTP errors. For security teams, this shifts the focus: away from hunting individual rogue packages and toward tracking a chain of publications that feed off each other.

The Mechanics: preinstall runs before any test

The attack begins at the weakest point of the installation process. A malicious preinstall script in the package.json is executed automatically during installation-before any tests or security checks can intervene. This window of opportunity is the leverage. Within it, a setup script named set_bun.js installs the alternative JavaScript runtime Bun if needed, then executes the actual payload from the file bun_environment.js.

What happens next is a systematic harvest. The malware downloads a GitHub Actions runner and deploys the credential scanner TruffleHog to extract secrets from repositories and environment variables. The loot is sent to repositories under the attackers’ control. Far more than npm tokens are stolen: AWS SSO and IMDSv2 credentials, Azure, Google Cloud, and Kubernetes logins, SSH keys, local configuration secrets, and even crypto wallets.

404 Versions

malicious package versions spread Mini Shai-Hulud across 170 npm and two PyPI packages, identified by Microsoft Security Research on May 11, 2026.

Source: Microsoft Security Blog

Why the worm survives long after the package is gone

The real leap beyond classic supply chain attacks lies in its propagation. Mini Shai-Hulud exploits stolen OIDC and publishing rights to release new malicious versions under the identities of legitimate maintainers. Through GitHub Trusted Publishing and npm lifecycle scripts, the attack spreads via trusted release channels-without attackers needing to phish anyone again.

Even more unsettling is its persistence. According to Microsoft, the malware sometimes embeds itself via SessionStart hooks in the file .claude/settings.json and through the GitHub GraphQL API. This means the attack lingers in the developer environment-not just in the dependency. Removing the infected package and assuming the job is done overlooks the mechanism that reignites with every subsequent tool launch.

The new attack surface: AI dev tools and alternative runtimes

This is where the lesson extends beyond this single incident. The worm exploits not just classic npm scripts but also an alternative runtime like Bun and the hook files of modern AI coding tools-a persistence mechanism that traditional audits rarely scrutinize. An SBOM lists dependencies, but it doesn’t account for hook configurations in developer setups.

For incident response, this means expanding the scope. Investigating a supply chain compromise now requires examining AI assistant configuration files, local hook files, and non-Node runtimes. This isn’t AI panic-it’s the sobering realization that the CI/CD attack surface has grown to include tools that weren’t on every developer’s machine two years ago.

Defense: Replace Tokens, Harden Identity, Sign the Pipeline

The good news is that the most effective measures are principles, not products. Microsoft and several security firms like Akamai, Snyk, and StepSecurity-reporting in parallel on the campaign-agree on a consistent core. Maintainers should adopt npm Trusted Publishing instead of long-lived tokens, as a stolen token fuels self-propagation. WebAuthn-based two-factor authentication offers stronger protection than TOTP, which can be phished. And commit signatures make tampered releases visible.

For users, speed is critical. Anyone who might be affected should rotate exposed credentials immediately, not wait. Automated SBOM generation and agentless scanning help detect the tampered versions in the first place. Attack surface reduction rules can block obfuscated scripts before they execute. For German companies, there’s also a legal dimension: NIS2 turns supply chain due diligence into a verifiable requirement. An incident like this becomes both a technical and a documentation issue.

Frequently Asked Questions

What is Mini Shai-Hulud?

Mini Shai-Hulud is a variant of the npm worm Shai-Hulud from 2025. The wave documented by Microsoft on May 11, 2026, compromised 170 npm and two PyPI packages via 404 malicious versions, spreading autonomously through the software supply chain’s publishing channels.

How does the worm infect a system?

Through a malicious preinstall script that executes automatically-and before any tests-when a package is installed. It installs the Bun runtime, downloads a payload, and scans for credentials using TruffleHog, which are then exfiltrated to the attackers.

Why isn’t deleting the infected package enough?

Because the malware sometimes embeds itself outside the dependency, such as via SessionStart hooks in AI coding tool configurations or through the GitHub GraphQL interface. This persistence triggers on every tool startup, even if the package has long since been removed.

Which credentials are affected?

Stolen credentials include npm tokens, AWS SSO and IMDSv2 access, Azure, Google Cloud, and Kubernetes logins, SSH keys, local configuration secrets, and crypto wallets. If a compromise is suspected, exposed credentials should be rotated immediately.

What does this incident mean for NIS2 obligations?

NIS2 requires verifiable due diligence in the supply chain. A supply chain incident like this extends beyond technical defense to include documentation and reporting obligations for affected companies.