The Mini Shai‑Hulud npm Supply‑Chain Attack Explained

Security research reports that the operation compromised more than 170 npm and PyPI packages across 19 namespaces, publishing over 400 malicious package versions between May 10 and May 12, 2026.

The affected packages included libraries tied to projects such as TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI—software components with large downstream usage across web applications and developer tools.

Because these packages collectively accumulated hundreds of millions of historical downloads, even a brief compromise created widespread risk across the developer ecosystem.

A later wave targeted the AntV data‑visualization ecosystem, where hundreds of malicious versions were published across related npm packages with roughly 16 million weekly downloads.

How 600+ Malicious Versions Were Published So Quickly

The astonishing speed of the attack came from abusing trusted automation and maintainership privileges.

In the May 19 wave, the attackers reportedly compromised the npm maintainer account associated with the atool package and used it to push hundreds of new versions across a large group of related packages.

Because maintainers can publish new versions automatically through scripts and CI pipelines, a single compromised account allowed attackers to:

• Trigger automated publishes across dozens or hundreds of packages
• Increment versions rapidly
• Push releases in parallel

This automation allowed the attackers to publish hundreds of malicious artifacts within minutes, rather than manually compromising packages one by one.

Abuse of GitHub Actions OIDC and Trusted Publishing

One of the most technically notable aspects of Mini Shai‑Hulud was how it subverted modern “secure” publishing workflows.

Many projects now use GitHub Actions trusted publishing, where CI workflows obtain temporary identity tokens through OpenID Connect (OIDC) and use them to publish packages without storing long‑lived credentials.

In several compromised projects, the attackers were able to:

• Hijack or manipulate GitHub Actions workflows
• Extract short‑lived OIDC tokens from CI runner environments
• Use those tokens to authenticate publishing operations

Because the release pipeline itself performed the publish, the packages appeared to come from the project’s legitimate build system.

This technique bypassed a common security assumption: that removing long‑lived credentials automatically prevents supply‑chain compromise.

How the Attack Produced "Legitimate" Signed Malware

The attack went further by exploiting the software‑supply‑chain integrity systems meant to prevent tampering.

Modern build pipelines increasingly generate SLSA provenance attestations and sign artifacts using Sigstore certificates. These signatures allow users to verify that a package was built by a trusted workflow.

Mini Shai‑Hulud undermined that guarantee.

Researchers found that the attackers were able to obtain legitimate signing certificates by using compromised CI identities and OIDC tokens. As a result, malicious packages were released with valid SLSA Build Level 3 provenance and cryptographic signatures.

From a verification perspective, the packages looked authentic: they were signed, traceable to real workflows, and published through trusted pipelines.

The weakness was not the signing system itself—it was that the trusted build environment had already been compromised.

What the Malware Tried to Steal

The malicious packages contained code designed to harvest sensitive developer and infrastructure credentials.

Reports indicate the malware targeted items such as:

• CI/CD tokens and pipeline credentials
• Cloud provider keys
• npm or GitHub access tokens
• SSH keys and other developer secrets

By stealing these secrets, the malware could compromise additional repositories and publishing pipelines, allowing the worm to propagate through the ecosystem.

This credential‑theft capability is what allowed Mini Shai‑Hulud to behave like a self‑spreading supply‑chain worm, moving from one compromised project to another.

Why This Attack Is a Major Ecosystem Threat

Mini Shai‑Hulud demonstrated several dangerous realities about modern software supply chains.

1. Trusted infrastructure can be turned against itself.

Even advanced security features—OIDC trusted publishing, SLSA provenance, and signed artifacts—cannot prevent malicious releases if attackers gain control of the build pipeline that generates them.

2. One compromised maintainer can affect hundreds of packages.

The AntV wave showed how a single account compromise could result in hundreds of malicious versions across hundreds of packages in minutes.

3. Popular packages amplify the blast radius.

Many compromised libraries are dependencies of other packages, meaning malicious updates can spread through transitive dependencies to thousands of projects.

4. The campaign evolved over time.

Security researchers linked Mini Shai‑Hulud to a broader TeamPCP campaign that also involved compromising tools such as the Checkmarx Jenkins AST plugin and targeting multiple open‑source ecosystems.

Because the techniques rely on automation and common CI/CD patterns, analysts warn that copycat attacks or variants are likely.

The Bigger Lesson for Developers

Mini Shai‑Hulud exposed a critical truth about modern software supply chains: cryptographic verification alone cannot guarantee safety if attackers control the trusted pipeline producing the software.

The attack shows why organizations increasingly focus on:

• isolating CI runners
• restricting workflow permissions
• monitoring unusual publish activity
• auditing dependencies continuously

As the ecosystem shifts toward automated builds and signed artifacts, the security of CI infrastructure and developer identities has become just as important as the integrity of the code itself.

Mini Shai‑Hulud demonstrated how quickly that trust can be exploited—and how widely the consequences can spread when it is.