Storyline
Shai-Hulud NPM Supply Chain Attack Campaign
Threat actors have launched a coordinated supply chain attack campaign called Shai-Hulud targeting NPM packages, compromising over 600 malicious packages across multiple ecosystems including TanStack and AntV, and leveraging compromised maintainer accounts to distribute malware to developers. The campaign also enabled secondary attacks, including a breach of GitHub's internal repositories through a compromised Nx Console VS Code extension.
This is a long-running storyline that has developed over 25 days. The homepage highlights its most recent activity, so the outlet count there reflects the latest wave. The totals above cover the full run.
Shai-Hulud (threat actor)NPM (Node Package Manager)TanStackAntV ecosystemGitHub
2026-06-01
- Shai-Hulud malware worms Red Hat npm package versions downloaded 80K times a week
- Red Hat npm packages compromised to steal developer credentials
- Dozens of Red Hat packages backdoored through its official NPM channel
- Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm
- OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack
2026-05-29
2026-05-27
2026-05-25
2026-05-23
- Laravel Lang packages hijacked to deploy credential-stealing malware
- npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks
- Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware
- Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer
2026-05-21
2026-05-20
2026-05-19
- Hackers have compromised dozens of popular open source packages in an ongoing supply chain attack
- Mini Shai-Hulud returns, compromising hundreds of npm packages
- New Shai-Hulud malware wave compromises 600 npm packages
- Shai-Hulud keeps burrowing: 314 npm packages infected after another account compromise
- Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised
- Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account
2026-05-18
- Shai-Hulud copycat worm infects yet another npm package
- Leaked Shai-Hulud malware fuels new npm infostealer campaign
- ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
- Developer Workstations Are Now Part of the Software Supply Chain
- Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware