Inside the Mini Shai‑Hulud Supply‑Chain Attack on npm Packages

Some of these packages are dependencies for popular frontend frameworks and visualization tools, giving the attack a large potential reach.

Microsoft reported that the compromise of the @antv npm ecosystem created cascading downstream impact because other projects depend on those libraries. Packages like echarts-for-react, which has more than a million weekly downloads, amplified the potential blast radius.

How the malware executes during installation

The malicious versions embedded an obfuscated JavaScript payload designed to run automatically when the package was installed.

Attackers achieved this using install‑time hooks such as preinstall, which execute scripts during dependency installation. This means the malware could run when a developer or CI system executed a normal

npm install

Researchers also observed a second delivery technique using optionalDependencies pointing to GitHub commit hashes. Because npm can fetch package content from a repository by commit SHA, attackers could reference objects from forks that shared Git history with the original repository—even without write access to the upstream project.

What the attackers were trying to steal

The payload’s primary goal was credential harvesting. Once executed, the malware scanned the host system and development environment for secrets that could enable further compromise.

Targets included:

• npm publishing tokens
• GitHub personal access tokens
• AWS, Azure, and Google Cloud credentials
• database connection strings
• Slack tokens and API keys
• SSH keys and Docker authentication files
• Kubernetes and HashiCorp Vault tokens

It also attempted to extract data from local password‑manager stores such as 1Password, Bitwarden, pass, and gopass.

To move the stolen data out of the victim environment, the malware used two exfiltration channels: committing data into Git objects in public GitHub repositories and sending encrypted HTTPS requests disguised as telemetry traffic.

A worm‑like propagation strategy

Security researchers describe Mini Shai‑Hulud as self‑propagating.

Instead of stopping after stealing credentials, the malware attempts to reuse those secrets to spread further across the ecosystem. For example, in CI environments it tries to obtain additional publishing tokens or manipulate automation workflows so attackers can push new malicious package versions.

This propagation strategy turns compromised developers or pipelines into launch points for additional supply‑chain attacks.

Earlier wave: TanStack packages compromised

A related wave of the campaign appeared earlier in May 2026 and targeted packages in the TanStack ecosystem, a widely used collection of frontend libraries.

The compromised releases included malicious code designed to steal CI/CD secrets and developer credentials, enabling attackers to expand the attack to other repositories and packages.

Security analyses found the malware embedded inside obfuscated JavaScript bundles that profiled the runtime environment and initiated credential‑stealing activity.

How the attack reached OpenAI employee devices

The TanStack compromise had real‑world impact beyond open‑source projects.

OpenAI later confirmed that two employee devices were affected through the malicious dependency chain. The company observed activity consistent with credential‑focused malware attempting to access internal repositories accessible to those employees.

However, the company reported that:

• no user data was accessed
• production systems were not compromised
• intellectual property and deployed software were unaffected

As a precaution, OpenAI isolated the impacted systems, revoked sessions, rotated credentials, restricted deployment workflows, and began rotating code‑signing certificates.

Why this attack is significant

Mini Shai‑Hulud illustrates how modern supply‑chain attacks increasingly target the developer ecosystem itself rather than end users directly.

Key reasons the campaign is notable:

• attackers compromised trusted maintainers rather than publishing new malicious packages
• automated publishing allowed hundreds of malicious versions to appear in minutes
• the malware focused on stealing credentials that enable further propagation

Because open‑source dependencies underpin much of today’s software infrastructure, even a brief compromise of a widely used package can affect thousands of downstream projects.

The incident underscores a growing challenge for the software ecosystem: protecting not just applications, but the entire chain of tools, maintainers, and automation pipelines that build them.