CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

OpenAI, TanStack, and Mistral AI Impacted in Escalating Mini Shai-Hulud Supply Chain Campaign

First reported
Last updated
5 unique sources, 15 articles

Summary

Hide ▲

The Mini Shai-Hulud supply chain campaign has escalated with a new wave of 639 compromised npm packages tied to the AntV ecosystem, including high-download dependencies such as echarts-for-react and timeago.js. The attack ran for roughly one hour on May 19, 2026, beginning at 01:56 UTC, publishing malicious versions from the compromised “atool” maintainer account that held rights for over 500 packages. Each compromised package added an obfuscated Bun bundle preinstall hook to harvest and exfiltrate credentials (cloud, CI/CD, SSH, Kubernetes, and password manager vaults) via GitHub repositories marked with Dune-themed names and the campaign's reversed signature. Earlier waves targeted TanStack and Mistral AI SDKs, SAP npm packages, and PyPI ecosystems (Lightning, intercom-client), while compromising GitHub Actions workflows ('actions-cool/issues-helper', 'actions-cool/maintain-one-comment') and hundreds of npm packages across multiple ecosystems. Affected organizations include OpenAI (two employee devices breached via TanStack), UiPath, Guardrails AI, OpenSearch, SAP, and hundreds of npm and PyPI packages. The malware harvests over 20 credential types, abuses OIDC tokens to forge Sigstore provenance attestations, implements self-propagation via stolen npm tokens, and includes a destructive sabotage payload targeting systems in Israel or Iran. The campaign is attributed to TeamPCP, which publicly released the Shai-Hulud source code, enabling rapid cloning and weaponization by other actors.

Timeline

  1. 12.05.2026 14:07 12 articles · 9d ago

    Fresh Mini Shai-Hulud Wave Abuses Compromised Maintainers and Trusted Publishing for Self-Propagation

    This article confirms the compromise of GitHub Actions workflows 'actions-cool/issues-helper' and 'actions-cool/maintain-one-comment' as part of the broader Mini Shai-Hulud campaign. Threat actors redirected all existing tags to imposter commits containing malicious code that downloads the Bun runtime, reads memory from the Runner.Worker process to extract CI/CD credentials, and exfiltrates data to 't.m-kosche[.]com'. Fifteen tags of 'actions-cool/maintain-one-comment' were also compromised using the same technique. GitHub disabled access to the repositories due to a violation of its terms of service, though the specific reason remains undisclosed. Only workflows pinned to a known-good full commit SHA are unaffected, as tags now resolve to malicious commits. This development underscores the campaign's cross-platform reach and continued evolution into CI/CD pipeline abuse. The latest wave expands the campaign's reach with over 600 malicious npm packages—primarily in the @antv ecosystem but also affecting popular packages like echarts-for-react, timeago.js, size-sensor, and canvas-nest.js—published in approximately one hour. The new variant injects a heavily obfuscated 'index.js' payload targeting developer workstations and CI/CD environments (GitHub Actions, GitLab CI, Jenkins, Azure DevOps, CircleCI, Vercel, Netlify) to harvest and exfiltrate credentials across GitHub, npm, cloud providers, Kubernetes, Vault, Docker, database, and SSH environments. Stolen data is serialized, Gzip-compressed, AES-256-GCM-encrypted, and RSA-OAEP-wrapped, with fallback exfiltration to GitHub repositories under victim accounts. The malware also abuses OIDC tokens from compromised CI environments to generate valid Sigstore provenance attestations via Fulcio and Reko, enabling malicious packages to appear legitimately signed despite containing credential-stealing malware. Self-propagation is present, validating stolen npm tokens, enumerating victim packages, injecting the payload, and republishing infected packages with incremented version numbers. Researchers observed 639 malicious versions across 323 unique packages in one hour, while Aikido reported over 2,700 rogue repositories created using stolen tokens, signaling a significant acceleration in the campaign's scale and sophistication. Additional details from the new article: the AntV-targeted wave began at 01:56 UTC on May 19, 2026, and pushed 639 malicious versions across 323 unique packages in about an hour from the compromised atool maintainer account, which held publish rights to more than 500 packages. Affected high-download dependencies included echarts-for-react, size-sensor, @antv/scale, and timeago.js. Each malicious version added a preinstall hook to package.json executing a 498 KB obfuscated Bun bundle that harvests cloud credentials, CI/CD tokens, SSH keys, Kubernetes service account tokens, and local password manager vaults. The payload exfiltrates stolen data through public GitHub repositories created using stolen tokens, using Dune-themed names and descriptions containing the reversed marker "Shai-Hulud: Here We Go Again." The tradecraft is described as consistent with a high-volume npm compromise pattern involving coordinated malicious publishes. Microsoft publicly commented on the new supply chain attack via X, and defenders are advised to rotate all credentials exposed during installation and audit for unauthorized repositories matching the campaign's naming patterns.

    Show sources
    Open in new tab
  2. 30.04.2026 19:31 4 articles · 20d ago

    PyPI Ecosystem Compromised via Lightning Malware Extending Mini Shai-Hulud Campaign

    The PyPI ecosystem was compromised via the Lightning package (versions 2.6.2 and 2.6.3) and intercom-client 7.0.4 as part of the Mini Shai-Hulud campaign, introducing a hidden _runtime directory with downloader and obfuscated JavaScript payloads executed automatically upon module import. The attack leveraged Bun runtime execution, harvested credentials validated via api.github[.]com/user, and propagated worm-like payloads to up to 50 branches in repositories, with commits impersonating Anthropic’s Claude Code. The maintainers of Lightning acknowledged the incident while investigating a suspected compromise of their GitHub account, and the campaign was assessed as an extension of the Mini Shai-Hulud supply chain attack with TeamPCP as the likely threat actor. The article published on April 30, 2026, provided initial documentation of the PyPI compromises and their technical parallels to the npm-based SAP package attacks disclosed earlier. New malicious npm packages leveraging the leaked Shai-Hulud source code—'chalk-tempalte', '@deadcode09284814/axios-util', 'axois-utils', and 'color-style-utils'—were published by threat actor 'deadcode09284814', combining credential theft with a persistent DDoS botnet ('Phantom Bot') and targeting developer credentials, secrets, cryptocurrency wallet data, and account information. OX Security researchers discovered the malicious uploads and attributed typosquatting tactics against Axios users and generic package names as a key campaign vector. This article reports that TeamPCP published the Shai-Hulud source code to GitHub one week prior, enabling rapid cloning and weaponization into new packages. It highlights the threat actor's strategy to leverage the leaked code for monetization via credential theft and DDoS recruitment, and underscores the accelerating spread of variants with diverse C2 and payloads.

    Show sources
    Open in new tab
  3. 29.04.2026 19:26 7 articles · 21d ago

    SAP npm Package Supply Chain Compromise via Mini Shai-Hulud Malware Disclosed

    OpenAI confirmed two employee devices were infected via the Mini Shai-Hulud supply chain attack on TanStack, with unauthorized access and credential-focused exfiltration in a limited subset of internal repositories. No user data, production systems, or intellectual property were compromised or modified. OpenAI isolated affected systems, revoked sessions, rotated credentials, temporarily restricted deployment workflows, and conducted a forensic investigation. OpenAI also revoked and reissued code-signing certificates for iOS, macOS, Windows, and Android applications due to exposure in the TanStack-related incident. macOS desktop users (ChatGPT Desktop, Codex App, Codex CLI, Atlas) must update applications before June 12, 2026, to maintain security. New developments show the rapid weaponization of the leaked Shai-Hulud malware source code, with threat actors publishing four malicious npm packages—including a direct clone ('chalk-tempalte') and a Golang-based DDoS botnet ('axois-utils')—that leverage the campaign's infrastructure to exfiltrate credentials to C2 servers and GitHub repositories, while establishing persistence mechanisms across Windows and Linux systems. The combined weekly download count of over 2,600 underscores the escalating reach and adoption of the campaign's tactics by cybercriminals. This article confirms that TeamPCP published the Shai-Hulud source code to GitHub one week prior, enabling rapid cloning and weaponization by other threat actors. It details the emergence of four malicious npm packages (including 'chalk-tempalte' and 'axois-utils') that combine credential theft with a DDoS botnet, and discusses the paradigm shift toward automated supply chain attacks weaponizing developer identity and CI/CD trust.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Unauthorized access to GitHub internal repositories reported; TeamPCP claims data sale and expands malware campaign

GitHub confirmed the unauthorized access to internal repositories stemmed from a trojanized Nx Console VS Code extension installed by an employee, which was live on the Visual Studio Marketplace for only eighteen minutes before removal. The extension, poisoned via a developer’s compromised system linked to the TanStack supply chain attack, executed a stealthy credential stealer targeting data from 1Password, Anthropic Claude Code, npm, GitHub, and AWS. GitHub’s Chief Information Security Officer stated there is no evidence of impact to customer data stored outside internal repositories, and the company has rotated critical secrets as part of containment. TeamPCP claimed responsibility, offering the alleged GitHub data dump for sale with a minimum price of $50,000 and threatening free release if no buyer is found. TeamPCP expanded operations by compromising the durabletask PyPI package with a Linux infostealer targeting credentials across cloud environments and forming partnerships with extortion and ransomware actors including Lapsus$ and Vect ransomware. Grafana Labs confirmed a breach was caused by a missed GitHub workflow token rotation following the TanStack npm supply-chain attack, resulting in the exfiltration of operational information such as business contact names and email addresses without compromising customer production systems. GitHub has now explicitly linked the breach vector to the TanStack npm supply-chain attack, which compromised dozens of TanStack and Mistral AI packages and leaked developer GitHub credentials via the GitHub CLI (gh), enabling the poisoning of the Nx Console extension used in the intrusion.

Open in new tab

AWS GovCloud administrative credentials exposed via contractor-managed public GitHub repository

A contractor for the Cybersecurity & Infrastructure Security Agency (CISA) exposed credentials for multiple highly privileged AWS GovCloud accounts and internal CISA systems via a public GitHub repository named "Private-CISA" over an extended period. The repository contained plaintext passwords, cloud keys, tokens, logs, and software deployment details, enabling potential lateral movement within CISA’s internal networks. The exposure was first reported by GitGuardian researcher Guillaume Valadon on May 15, 2026, and the repository was taken offline shortly thereafter, though exposed AWS keys remained valid for an additional 48 hours. CISA has stated there is no indication of sensitive data compromise resulting from this incident. The contractor, employed by Nightwing, used the repository as an informal synchronization mechanism between work and personal environments, disabling GitHub’s default secrets detection features.

Open in new tab

Compromised node-ipc npm Package Versions Deploy Stealer Payload via Obfuscated Backdoor

Three legitimate versions of the widely used node-ipc npm package (9.1.6, 9.2.3, and 12.0.1) were republished with malicious stealer/backdoor code by an unauthorized maintainer account named 'atiertant', triggering on require('node-ipc') and exfiltrating developer and cloud secrets to a rogue C2 server. The attack features novel evasion tactics including DNS-based exfiltration via a fake Azure-themed domain (sh.azurestaticprovider[.]net), conditional payload execution in version 12.0.1, and targeted collection of 90 categories of credentials. This incident follows a prior 2022 protest-related compromise where the original maintainer added destructive capabilities to versions 10.1.1 and 10.1.2 targeting systems in Russia or Belarus, yet node-ipc retains over 690,000 weekly downloads. Security vendors (Socket, Ox Security, Upwind) confirmed the malicious nature of the affected versions, which skip large files and avoid scanning .git and node_modules directories to reduce operational noise.

Open in new tab

Credential theft campaign PCPJack leverages five CVEs for cloud propagation and eviction of TeamPCP artifacts

PCPJack continues to propagate as a worm-like credential theft framework across Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications, now confirmed to deliberately evict TeamPCP artifacts before executing its payload. The framework remains attributed to a former TeamPCP operator leveraging intimate knowledge of the group’s tooling, with targeting patterns mirroring TeamPCP’s early campaigns from December 2025. Unlike TeamPCP’s earlier operations, PCPJack avoids cryptocurrency mining despite targeting crypto credentials, focusing instead on monetization via credential theft, fraud, spam, extortion, or resale. SentinelLabs analysis indicates PCPJack’s orchestrator script (worm.py) uses Telegram for C2 and propagates via Common Crawl parquet files, while a secondary shell script (check.sh) deploys Sliver-based backdoors across x86_64, x86, and ARM architectures and scans cloud environments for credentials tied to multiple service providers.

Open in new tab

Quasar Linux (QLNX) multi-stage implant targeting developer environments with rootkit, backdoor, and credential-harvesting capabilities

A previously undocumented Linux implant named Quasar Linux (QLNX) has been identified targeting software developers' systems in development and DevOps environments across npm, PyPI, GitHub, AWS, Docker, and Kubernetes. QLNX combines rootkit, backdoor, and credential-harvesting capabilities to establish stealthy, fileless persistence and enable potential supply-chain attacks. The malware dynamically compiles rootkit shared objects and PAM backdoors on target hosts using gcc, employs seven persistence mechanisms, and uses dual-layer stealth techniques including userland LD_PRELOAD rootkits and kernel-level eBPF components. QLNX features a 58-command RAT core, credential harvesting targeting 10+ configuration files (.npmrc, .pypirc, .aws/credentials, .kube/config, .env, etc.), surveillance, networking and lateral movement, process injection, and filesystem monitoring modules. Targeting developer workstations allows bypass of enterprise security controls and access to credentials underpinning software delivery pipelines, enabling attackers to push poisoned packages to public registries or pivot through CI/CD pipelines.

Open in new tab