Identity, Decentralized identity and verifiable credentials, Application security

New Mini Shai-Hulud attack targets npm ecosystem

(Credit: Araki Illustrations – stock.adobe.com)

A new Mini Shai-Hulud campaign has attacked 323 unique npm packages, GitHub actions, and one single VS Code extension.

In a May 19 blog post, Socket researchers said all of the new observed activity was in the npm ecosystem, with the bulk of the activity concentrated in @antv package.

Guillaume Valadon, staff cybersecurity researcher at GitGuardian, explained that the Mini Shai‑Hulud attacks weaponize trusted development artifacts such as npm packages, GitHub Actions, and a VS Code extension to steal cloud, GitHub, and Kubernetes secrets from developer machines and CI/CD pipelines.

“Each vector amplifies the risk: npm packages land in countless environments, Actions run with elevated permissions, and VS Code extensions can read local files and credentials, giving attackers a direct path to pivot across the entire org,” said Valadon. “Security teams should treat any system that installed a malicious version as compromised.”

Much like previous Mini Shai-Hulud attacks, the harvested credentials were exfiltrated through GitHub repos and via a fallback server, which reportedly points to TeamPCP executing the attack.

Amir Khayat, co-founder and CEO of Vorlon, said this attack represents the third wave of TeamPCP’s campaign. Khayat said TeamPCP has been running credential-chain attacks since March.

“The pattern is consistent: compromise one trusted tool, steal the credentials it touches in CI/CD, use those credentials to compromise the next trusted tool,” said Khayat. “The 323 packages is not the breach. It’s the blast radius of one stolen maintainer token. And, the packages with millions of weekly downloads are not the target. They are the distribution channel. The target is every developer environment that runs npm install.”

Khayat added that the actions-cool/issues-helper compromise matters because of what GitHub Actions can see: CI/CD runners hold secrets in memory — cloud credentials, registry tokens, API keys — and most organizations have no behavioral monitoring on those runners. Khayat said the worm reads them directly from process memory, including values that are masked in logs.

“Security teams need to understand that a GitHub Actions workflow is not a script,” said Khayat. “It’s a privileged identity with access to your entire deployment pipeline. Most organizations govern it like a configuration file.”

Finally on the VS Code extension compromise, Khayat said the Nx Console compromise was live for just 11 minutes and in that window, the malware reached for GitHub tokens, AWS credentials, Kubernetes configs, HashiCorp Vault tokens, and Claude Code credentials. It then installed a persistent backdoor and attempted to forge SLSA provenance to poison downstream builds.

“The malware specifically targeted Claude Code's configuration files — ~/.claude/settings.json, ~/.claude/mcp.json,” said Khayat. “It installed a persistence hook that re-executes the credential stealer every time a Claude Code session starts. Your AI coding assistant is now an ongoing exfiltration vector. This is the first time we have seen a supply chain payload designed specifically to harvest AI tool credentials and MCP server configurations. It will not be the last.”

Phil Wylie, chief security evangelist at Suzu Labs, added that this latest Mini Shai-Hulud wave shows why software supply chain attacks have become one of the most dangerous threats facing modern enterprises. Wylie said the attackers didn’t target firewalls or endpoints first, they targeted trust: By compromising widely used npm packages, GitHub Actions workflows, and even a VS Code extension, they inserted themselves directly into the developer pipeline where organizations implicitly trust code, automation, and tooling.

“The npm package compromise is especially concerning because many of the affected libraries sit deep inside dependency chains tied to visualization frameworks, CI/CD tooling, and front-end applications,” said Wylie. “A single poisoned package can cascade into thousands of downstream environments almost instantly. In this campaign, the malware reportedly executed during package installation through malicious preinstall hooks, allowing credential theft and persistence before many security tools could even react.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds