Identity , Decentralized identity and verifiable credentials ‘Mini’ Shai-Hulud attack compromises hundreds of npm, PyPI packages May 12, 2026 Share By Steve Zurier (Adobe Stock) A new so-called “Mini” Shai‑Hulud supply chain attack wave attributed to TeamPCP shows a clear escalation in how software supply chain attacks are executed and how trust gets systematically undermined. The latest attack compromised hundreds of packages across npm and PyPI, delivering credential-stealing malware targeting developers. These attacks compromised TanStack and Mistral AI packages and then extended to other frameworks, such as Guardrails AI, UiPath, and OpenSearch. What makes this incident different was that the attacker hijacked valid OpenID Connect (OIDC) tokens to publish malicious package versions with verifiable provenance attestation, the industry standard SLSA Build Level 3. This means that all standard integrity and signature checks would still pass even though the code was malicious. “The recent Mini Shai-Hulud campaign by TeamPCP represents a severe escalation in software supply chain attacks because it successfully weaponizes trust through compromised OpenID Connect tokens,” said Jason Soroko, a senior fellow at Sectigo. “While earlier iterations from last September relied on preinstall hooks to expose developer secrets, this latest wave adopts a stealthier execution model. By bundling a JavaScript payload within the package tarball and utilizing an optional GitHub dependency to trigger execution via the Bun runtime, the attackers bypass traditional static scanning.” Related reading: SANDWORM_MODE: Shai-Hulud with an AI twist New PackageGate vulnerabilities circumvent Shai-Hulud defenses Nearly $8.5M pilfered from Trust Wallet in Shai Hulud malware attack Boris Cipot, principal security engineer at Black Duck, explained that this campaign has been evolving for several months. Cipot said the original Shai‑Hulud attacks in 2025 introduced the concept of a self‑propagating npm worm that spreads by stealing developer credentials and republishing infected packages. Earlier waves in 2026 targeted high‑value developer tools, then moved to widely used packages such as Bitwarden CLI, where attackers compromised CI pipelines to inject credential‑stealing malware. “What’s different now is the shift toward identity‑based attacks,” said Cipot. “Rather than stealing static credentials like API keys or passwords, attackers execute code inside the CI environment, extract short‑lived OIDC tokens, and act as the trusted build system itself. This completely bypasses many of the defenses that organizations rely on today.” Jacob Krell, senior director at Suzu Labs, said while definitive attribution linking those earlier waves from 2025 to TeamPCP has not been confirmed, TeamPCP specifically has been running a sustained campaign since at least March 2026, starting with LiteLLM on PyPI and spreading to more than a dozen targets before escalating to TanStack and Mistral AI. “The focus has consistently been tooling that handles credentials and sits inside build and release pipelines,” said Krell. Gaetan Ferry, a security researcher at GitGuardian, said today’s news represents a new wave of an already known supply chain attack that started a month ago with the compromise of SAP. Ferry said on the remediation side, it’s important for teams to identify which credentials have been exfiltrated during the malware execution. This requires a proper mapping of corporate credentials throughout the software development environment, including on developer endpoints. “While AI could theoretically be used to that purpose, the most efficient solutions to create such credential maps are currently mainly deterministic,” said Ferry. “Similar to the previous attacks in the same series, the risk lies in the expansion of the compromise. Every compromised open-source package has the potential to increase the number of victims. The more famous the package, the higher the risk, as more people are likely to depend on it.” Ferry added that this new wave managed to propagate into the packages of high-profile targets, including MistralAI and OpenSearch. Those have the potential to trigger a high amount of downstream compromise. Because the malware is a credential harvester, Ferry said the main downstream risk lies in the exfiltration of corporate credentials that attackers could use later in targeted attacks, as we have seen in previous campaigns with the subsequent attacks on europa.eu and other victims. “This is why, once an infection has been identified, it’s of prime importance to identify the compromised credentials and to properly rotate them,” said Ferry. “Doing so requires a good understanding of a company's credential perimeter, both on software build infrastructures and developer endpoints.” Steve Zurier Related Identity SailPoint GitHub repo hit by third-party cyberattack Steve Zurier May 11, 2026 SailPoint says GitHub repo breach exposed no customer data or production systems. Identity Most passwords can be cracked in under a minute, Kaspersky finds SC Staff May 11, 2026 Kaspersky researchers analyzed a dataset of 231 million unique passwords leaked on the dark web between 2023 and 2026. Identity Microsoft Edge password saving practice raises security concerns SC Staff May 8, 2026 The browser reportedly converts saved passwords into plaintext within the computer's memory as soon as the application launches, making them vulnerable to unauthorized access. Related Events Cybercast IAM for MSSPs: Real-World Deployments Mon May 18 Cybercast Privilege risk is in the lifecycle: A CISO discussion on modernizing identity control On-Demand Event Cybercast The industrialization of identity compromise On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Access Matrix Basic Authentication Biometrics Certificate-Based Authentication Challenge-Handshake Authentication Protocol (CHAP) Digest Authentication Digital Certificate Discretionary Access Control (DAC) You can skip this ad in 5 seconds