Identity , Decentralized identity and verifiable credentials New Mini Shai-Hulud attack targets npm ecosystem May 20, 2026 Share By Steve Zurier (Credit: Araki Illustrations – stock.adobe.com) A new Mini Shai-Hulud campaign has attacked 323 unique npm packages , GitHub actions , and one single VS Code extension. In a May 19 blog post , Socket researchers said all of the new observed activity was in the npm ecosystem, with the bulk of the activity concentrated in @antv package. Guillaume Valadon, staff cybersecurity researcher at GitGuardian, explained that the Mini Shai‑Hulud attacks weaponize trusted development artifacts such as npm packages, GitHub Actions, and a VS Code extension to steal cloud, GitHub, and Kubernetes secrets from developer machines and CI/CD pipelines. “Each vector amplifies the risk: npm packages land in countless environments, Actions run with elevated permissions, and VS Code extensions can read local files and credentials, giving attackers a direct path to pivot across the entire org,” said Valadon. “Security teams should treat any system that installed a malicious version as compromised.” Much like previous Mini Shai-Hulud attacks, the harvested credentials were exfiltrated through GitHub repos and via a fallback server, which reportedly points to TeamPCP executing the attack. Amir Khayat, co-founder and CEO of Vorlon, said this attack represents the third wave of TeamPCP’s campaign. Khayat said TeamPCP has been running credential-chain attacks since March. “The pattern is consistent: compromise one trusted tool, steal the credentials it touches in CI/CD, use those credentials to compromise the next trusted tool,” said Khayat. “The 323 packages is not the breach. It’s the blast radius of one stolen maintainer token. And, the packages with millions of weekly downloads are not the target. They are the distribution channel. The target is every developer environment that runs npm install.” Khayat added that the actions-cool/issues-helper compromise matters because of what GitHub Actions can see: CI/CD runners hold secrets in memory — cloud credentials, registry tokens, API keys — and most organizations have no behavioral monitoring on those runners. Khayat said the worm reads them directly from process memory, including values that are masked in logs. “Security teams need to understand that a GitHub Actions workflow is not a script,” said Khayat. “It’s a privileged identity with access to your entire deployment pipeline. Most organizations govern it like a configuration file.” Finally on the VS Code extension compromise, Khayat said the Nx Console compromise was live for just 11 minutes and in that window, the malware reached for GitHub tokens, AWS credentials, Kubernetes configs, HashiCorp Vault tokens, and Claude Code credentials. It then installed a persistent backdoor and attempted to forge SLSA provenance to poison downstream builds. “The malware specifically targeted Claude Code's configuration files — ~/.claude/settings.json, ~/.claude/mcp.json,” said Khayat. “It installed a persistence hook that re-executes the credential stealer every time a Claude Code session starts. Your AI coding assistant is now an ongoing exfiltration vector. This is the first time we have seen a supply chain payload designed specifically to harvest AI tool credentials and MCP server configurations. It will not be the last.” Phil Wylie, chief security evangelist at Suzu Labs, added that this latest Mini Shai-Hulud wave shows why software supply chain attacks have become one of the most dangerous threats facing modern enterprises. Wylie said the attackers didn’t target firewalls or endpoints first, they targeted trust: By compromising widely used npm packages, GitHub Actions workflows, and even a VS Code extension, they inserted themselves directly into the developer pipeline where organizations implicitly trust code, automation, and tooling. “The npm package compromise is especially concerning because many of the affected libraries sit deep inside dependency chains tied to visualization frameworks, CI/CD tooling, and front-end applications,” said Wylie. “A single poisoned package can cascade into thousands of downstream environments almost instantly. In this campaign, the malware reportedly executed during package installation through malicious preinstall hooks, allowing credential theft and persistence before many security tools could even react.” Steve Zurier Related Identity The AiTM problem nobody’s architecture actually solves Alan LeFort May 20, 2026 Accountability becomes the big issue following a breach – does the team know who’s responsible for what? Identity Microsoft to phase out SMS authentication for account recovery SC Staff May 20, 2026 Microsoft has announced it will begin phasing out SMS-based authentication and account recovery, citing it as a leading source of fraud. Identity Stolen UK data, including bank cards and IDs, is cheap on the dark web, NordVPN reports SC Staff May 18, 2026 Stolen UK payment card details are commonly available on dark web marketplaces for approximately $12, with comprehensive digital identity packs fetching around $40. Related Events Cybercast IAM for MSSPs: Real-World Deployments On-Demand Event Cybercast Privilege risk is in the lifecycle: A CISO discussion on modernizing identity control On-Demand Event Cybercast The industrialization of identity compromise On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Access Matrix Basic Authentication Biometrics Certificate-Based Authentication Challenge-Handshake Authentication Protocol (CHAP) Digest Authentication Digital Certificate Discretionary Access Control (DAC) You can skip this ad in 5 seconds