7 min read<\/p>\n
On May 11, 2026, Microsoft Security Research reports a new wave of the npm worm Shai-Hulud: 170 affected npm packages and two PyPI packages, spread across 404 malicious package versions.<\/strong> This marks the first coordinated campaign to hit both npm and PyPI simultaneously. What\u2019s striking isn\u2019t the number-it\u2019s the design. Mini Shai-Hulud steals credentials and then spreads itself further, using the very same trusted publishing pipelines that hold modern software supply chains together.<\/p>\n Key Takeaways<\/p>\n Related:<\/span>The Splunk vulnerability that deletes files without login<\/a> \/<\/span> Machine identities in offboarding<\/a><\/p>\n Shai-Hulud isn\u2019t a new name. Between November 24 and December 1, 2025, the first wave compromised hundreds of npm packages, including components from ecosystems like Zapier, PostHog, Postman, ENS Domains, and AsyncAPI. The variant Microsoft documented in early May 2026, dubbed Mini Shai-Hulud, takes it a step further. It targets high-profile projects like TanStack, Mistral AI, UiPath, OpenSearch, and AntV-and for the first time, spans both major registries.<\/p>\n The 404 malicious versions refer to the number of tampered package releases across the 170 npm and two PyPI packages. The figure has nothing to do with HTTP errors. For security teams, this shifts the focus: away from hunting individual rogue packages and toward tracking a chain of publications that feed off each other.<\/p>\n The attack begins at the weakest point of the installation process. A malicious preinstall script in the package.json is executed automatically during installation-before any tests or security checks can intervene. This window of opportunity is the leverage. Within it, a setup script named set_bun.js<\/span> installs the alternative JavaScript runtime Bun if needed, then executes the actual payload from the file bun_environment.js<\/span>.<\/p>\n What happens next is a systematic harvest. The malware downloads a GitHub Actions runner and deploys the credential scanner TruffleHog to extract secrets from repositories and environment variables. The loot is sent to repositories under the attackers’ control. Far more than npm tokens are stolen: AWS SSO and IMDSv2 credentials, Azure, Google Cloud, and Kubernetes logins, SSH keys, local configuration secrets, and even crypto wallets.<\/p>\n The real leap beyond classic supply chain attacks lies in its propagation. Mini Shai-Hulud exploits stolen OIDC and publishing rights to release new malicious versions under the identities of legitimate maintainers. Through GitHub Trusted Publishing and npm lifecycle scripts, the attack spreads via trusted release channels-without attackers needing to phish anyone again.<\/p>\n Even more unsettling is its persistence. According to Microsoft, the malware sometimes embeds itself via SessionStart hooks in the file .claude\/settings.json<\/span> and through the GitHub GraphQL API. This means the attack lingers in the developer environment-not just in the dependency. Removing the infected package and assuming the job is done overlooks the mechanism that reignites with every subsequent tool launch.<\/p>\n This is where the lesson extends beyond this single incident. The worm exploits not just classic npm scripts but also an alternative runtime like Bun and the hook files of modern AI coding tools-a persistence mechanism that traditional audits rarely scrutinize. An SBOM lists dependencies, but it doesn\u2019t account for hook configurations in developer setups.<\/p>\n For incident response, this means expanding the scope. Investigating a supply chain compromise now requires examining AI assistant configuration files, local hook files, and non-Node runtimes. This isn\u2019t AI panic-it\u2019s the sobering realization that the CI\/CD attack surface has grown to include tools that weren\u2019t on every developer\u2019s machine two years ago.<\/p>\n The good news is that the most effective measures are principles, not products. Microsoft and several security firms like Akamai, Snyk, and StepSecurity-reporting in parallel on the campaign-agree on a consistent core. Maintainers should adopt npm Trusted Publishing instead of long-lived tokens, as a stolen token fuels self-propagation. WebAuthn-based two-factor authentication offers stronger protection than TOTP, which can be phished. And commit signatures make tampered releases visible.<\/p>\n For users, speed is critical. Anyone who might be affected should rotate exposed credentials immediately, not wait. Automated SBOM generation and agentless scanning help detect the tampered versions in the first place. Attack surface reduction rules can block obfuscated scripts before they execute. For German companies, there\u2019s also a legal dimension: NIS2 turns supply chain due diligence into a verifiable requirement. An incident like this becomes both a technical and a documentation issue.<\/p>\n Mini Shai-Hulud is a variant of the npm worm Shai-Hulud from 2025. The wave documented by Microsoft on May 11, 2026, compromised 170 npm and two PyPI packages via 404 malicious versions, spreading autonomously through the software supply chain\u2019s publishing channels.<\/p>\n Through a malicious preinstall script that executes automatically-and before any tests-when a package is installed. It installs the Bun runtime, downloads a payload, and scans for credentials using TruffleHog, which are then exfiltrated to the attackers.<\/p>\n Because the malware sometimes embeds itself outside the dependency, such as via SessionStart hooks in AI coding tool configurations or through the GitHub GraphQL interface. This persistence triggers on every tool startup, even if the package has long since been removed.<\/p>\n Stolen credentials include npm tokens, AWS SSO and IMDSv2 access, Azure, Google Cloud, and Kubernetes logins, SSH keys, local configuration secrets, and crypto wallets. If a compromise is suspected, exposed credentials should be rotated immediately.<\/p>\n NIS2 requires verifiable due diligence in the supply chain. A supply chain incident like this extends beyond technical defense to include documentation and reporting obligations for affected companies.<\/p>\n\n
A second wave, larger and more coordinated<\/h2>\n
The Mechanics: preinstall runs before any test<\/h2>\n
Why the worm survives long after the package is gone<\/h2>\n
The new attack surface: AI dev tools and alternative runtimes<\/h2>\n
Defense: Replace Tokens, Harden Identity, Sign the Pipeline<\/h2>\n
Frequently Asked Questions<\/h2>\n
What is Mini Shai-Hulud?<\/h3>\n
How does the worm infect a system?<\/h3>\n
Why isn\u2019t deleting the infected package enough?<\/h3>\n
Which credentials are affected?<\/h3>\n
What does this incident mean for NIS2 obligations?<\/h3>\n
Editor’s Reading Recommendations<\/h3>\n