{"id":254846,"date":"2026-05-19T11:36:00","date_gmt":"2026-05-19T15:36:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/19\/mini-shai-hulud-returns-compromising-hundreds-of-npm-packages\/"},"modified":"2026-05-25T08:55:25","modified_gmt":"2026-05-25T12:55:25","slug":"mini-shai-hulud-returns-compromising-hundreds-of-npm-packages","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/19\/mini-shai-hulud-returns-compromising-hundreds-of-npm-packages\/","title":{"rendered":"Mini Shai-Hulud returns, compromising hundreds of npm packages"},"content":{"rendered":"<p><a href=\"https:\/\/cyberscoop.com\/mini-shai-hulud-malware-npm-packages-compromised-again\/\">Mini Shai-Hulud returns, compromising hundreds of npm packages<\/a><\/p>\n<p><a href=\"https:\/\/cyberscoop.com\/mini-shai-hulud-malware-npm-packages-compromised-again\/\">https:\/\/cyberscoop.com\/mini-shai-hulud-malware-npm-packages-compromised-again\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-19 11:36:00<\/a><\/p>\n<p>Source Domain: <a href=\"cyberscoop.com\">cyberscoop.com<\/a><\/p>\n<p>A self-replicating malware campaign known as Mini Shai-Hulud has resurfaced, this time embedding itself across hundreds of npm packages. The threat actor behind it, identified as TeamPCP, has been linked to earlier waves of the same campaign, with this latest variant more capable than previous waves.<\/p>\n<p>Researchers analyzing the payload found a worm that spreads autonomously, installs persistent backdoors at the operating system level, and is specifically engineered to survive the most common first response: removing the package.<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-how-the-attack-works\">How the attack works<\/h4>\n<p>The malware executes the moment an affected software package is installed, whether in a developer\u2019s local environment or inside a CI\/CD pipeline. A hook fires before any other step, giving the payload immediate access to the machine.<\/p>\n<p>It harvests GitHub tokens, npm tokens, SSH keys, cloud provider credentials, and database connection strings. In automated build environments, it uses the pipeline\u2019s own trusted identity to obtain publishing credentials, allowing it to push poisoned package versions to the registry under a legitimate maintainer\u2019s name. The stolen data is sent to attacker-controlled GitHub repositories.<\/p>\n<p>After it steals a publishing token, the malware checks every package that token can access, adds its code to those packages, and publishes new poisoned versions using the maintainer\u2019s account. One infected CI runner \u2014 the machine or virtual server that automatically builds, tests and publishes code for a project \u2014 can therefore taint every package that runner is allowed to publish. It also searches a developer\u2019s computer for other Node.js projects and copies itself into them, so a single infected install can compromise an entire workstation.<\/p>\n<p>\u201cIf any of the affected packages ran in your environment, treat the machine or runner as exposed until secrets are rotated, persistence artifacts are removed, and recent publish activity has been reviewed,\u201d Aikido Security&#8230;<\/p>\n<p><a href=\"https:\/\/cyberscoop.com\/mini-shai-hulud-malware-npm-packages-compromised-again\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mini Shai-Hulud returns, compromising hundreds of npm packages https:\/\/cyberscoop.com\/mini-shai-hulud-malware-npm-packages-compromised-again\/ Publish Date: 2026-05-19 11:36:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":254847,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2026\/05\/GettyImages-2209944243.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32,34],"class_list":["post-254846","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/254846"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=254846"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/254846\/revisions"}],"predecessor-version":[{"id":254848,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/254846\/revisions\/254848"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/254847"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=254846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=254846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=254846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}