On May 19, the Mini Shai-Hulud worm compromised one npm maintenance account and spread 639 malicious versions across 323 packages in less than 30 minutes.
The hacked account “Atul” ((email protected)), publishes Alibaba’s @antv data visualization suite alongside standalone libraries used in crypto dashboards, DeFi front-ends, and fintech applications.
Highest targets in terms of traffic: Scale Sensor at 4.2 million downloads per week, echarts-for-react at 1.1 million, @antv/scale at 2.2 million, and timeago.js at 1.15 million.
Projects that use semver scopes such as ^3.0.6 echarts-for-react was automatically resolved to malicious version 3.2.7 on the next clean install. The administrator shut down GitHub’s security warnings within an hour, burying them in closed versions.
What does the payload steal and how does it persist
The malware harvests more than 20 types of credentials: AWS keys via EC2 and ECS metadata, Google Cloud and Azure tokens, GitHub and npm tokens, SSH keys, Kubernetes service accounts, HashiCorp Vault secrets, Stripe API keys, database connection strings, and local password vaults from 1Password and Bitwarden, per Switch.dev.
Filtration is done through two channels. The stolen credentials are encrypted with AES-256-GCM and sent to a command and control server.
As a fallback, the worm uses GitHub tokens to create public repositories with Dune-themed names like sardaukar-melange-742 or fremen-sandworm-315, and then converts the stolen data as files. StepSecurity reported that more than 2,500 GitHub repositories already contain threads related to the campaign.
Additionally, the worm uses encryption on stolen data in OpenTelemetry traces transmitted over HTTPS. On Linux machines, it sets up a systemd user service that is able to fetch instructions from GitHub even after the package has been removed.
The worm modifies the .vscode and .claude configuration files to ensure reactivation in development environments.
The campaign continues to grow
This is the third wave. As mentioned by Cryptopolitan In January, the original version of Shai-Hulud hit Trust Wallet’s npm packages and caused $8.5 million in losses. The second wave hit Mistral AI, TanStack, UiPath, and Guardrails AI on May 11.
The socket was able to identify a total of 1,055 compromised versions within 502 distinct packages through npm, PyPI, and Composer.
The threat group behind the campaign, TeamPCP, promoted its tools on underground hacking forums, according to Datadog researchers. Counterfeit versions have emerged that use different command and control servers, making attribution difficult.
SlowMist CEO 23pds said that any environment that installed the affected versions should be treated as fully vulnerable.
Some recommended actions include revoking all access tokens, rotating credentials for AWS, GitHub, npm, and cloud providers, implementing multi-factor authentication for account deployment, and reviewing any suspicious activity within repositories.
