Skip to main content

Briefing Zero-days CVEs IOCs NewsActors Vendors Licenses Help

⌘+KWorkspace→

Real-time security intelligence — KEV, CVEs, exploits, threat actors and IOCs unified into one live view.

Sources Status API docs Licenses Help Security disclosure

© 2026 ZeroDayAttack · Public data from CISA · NIST · MITRE · FIRST · OSV · GitHub · abuse.ch — not a security advisory.

Built by Kiril Urbonas

ZeroDayAttack — AppSec intelligence aggregator

Search

111 results

For "Shai-Hulud" across CVEs, vendor advisories, threat actors, IOCs, security research, and news. Also searching: npm, supply chain, tinycolor

All111 Vulnerabilities50 Threat actors0 Vendor advisories0 Research50 News11 IOCs0

Instant answer

shai-hulud

npm self-replicating supply-chain worm targeting popular packages, Sept-Oct 2025+.

Search "npm"Search "supply chain"Search "tinycolor"Search "self-replicating worm"

Research

50

wiz
Miasma: Supply Chain Attack Targeting RedHat npm Packages
Detect and mitigate malicious npm packages linked to the latest npm supply chain attack, based on the open sourced Mini Shai-Hulud malware.
12 d ago
tenable
Mini Shai-Hulud: Frequently asked questions about the TeamPCP npm and PyPI supply chain campaign
A self-propagating worm has compromised more than 170 npm and PyPI packages, defeating provenance attestation and breaching OpenAI and Mistral AI. Here is what you need to know. Key takeaways Mini Shai-Hulud is a self-propagating wo
23 d ago

The Agent Has Entered the Supply Chain

Software Delivery in the Age of Agents The way software gets built has fundamentally shifted. AI coding agents are no longer just autocomplete on steroids; they're resolving packages, configuring environments, selecting tools, and in some c

Mini Shai-Hulud Hits @antv: 323 npm Packages Compromised Through the atool Maintainer Account

An active supply chain attack has compromised 323 npm packages published under the atool npm maintainer account. The wave sweeps the entire @antv data-visualization organization alongside standalone libraries with wide independent adoption:

Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account

A compromised npm maintainer account triggered an automated burst of over 300 malicious package versions across 323 packages in the AntV data visualization ecosystem, part of the ongoing Mini Shai-Hulud supply chain worm campaign. Here's wh

Mini Shai-Hulud Is Back: 172 npm and PyPI Packages Compromised in Latest Wave

The Mini Shai-Hulud supply chain campaign has resurfaced with its largest wave yet. Over a 48-hour window on May 11-12, 2026, attackers compromised 172 unique packages across 403 malicious versions on npm and PyPI, including high-profile sc

Mini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised

Detect and mitigate malicious npm packages linked to the latest Mini Shai-Hulud supply chain campaign targeting high-value developer tooling.

TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack

On May 11, 2026, the Mini Shai-Hulud worm compromised 84 npm package artifacts across 42 @tanstack/* packages (as well as @squawk/*, @mistralai/* packages, and others) by chaining a GitHub Actions "Pwn Request," cache poisoning, and OIDC to

lightning PyPI Compromise: A Bun-Based Credential Stealer in Python

A malicious release of the lightning PyPI package ships a credential-stealing Bun payload that runs on import. Snyk has a live advisory. Here's what's in the package, what to rotate, and how the payload pattern connects to the Mini Shai-Hul

"A Mini Shai-Hulud Has Appeared": Bun-Based Stealer Hits SAP @cap-js and mbt npm Packages

A new npm supply chain attack self-branded "Mini Shai-Hulud" compromised four SAP-ecosystem packages on April 29, 2026. Snyk has live advisories. Here's the technical breakdown, IOCs, and what to do.

Securing the open source supply chain across GitHub

Over the past year, a new pattern has emerged in attacks on the open source supply chain. Attackers are focusing on exfiltrating secrets (like API keys) in order to both publish malicious packages from an attacker-controlled machine as well

How threat actors are using self-hosted GitHub Actions runners as backdoors

Using Shai-Hulud as a case study, explore how attackers can abuse GitHub's self-hosted runner infrastructure to establish persistent remote access.

Beyond Detection: Building a Resilient Software Supply Chain (Lessons from the Shai-Hulud Post-Mortem)

The Shai-Hulud npm incident exposed the limitations of reactive security in modern software supply chains. To survive the next major attack, organizations must shift toward a multi-layered strategy of proactive prevention, real-time intelli

Snipping the Long Tail of Shai-Hulud 2.0

Wiz Research reveals the data behind Shai-Hulud's 2.0 long tail, the massive gap in cloud credential rotation, a potential link to the Trust Wallet incident, and how we finally "snipped the tail" on a month of ongoing infections.

The Holiday Whisper: Shai-Hulud 3.0

A refined variant of the Shai-Hulud malware, dubbed The Golden Path, has been discovered targeting the npm ecosystem during the holiday season. Security teams are encouraged to prioritize structural hardening, such as disabling lifecycle sc

Shai-Hulud 2.0 Aftermath: Trends, Victimology and Impact

A deeper look at the Shai-Hulud 2.0 supply chain attack: reviewing the infection spread, victimology, leaked secrets distribution, and community response so far.

Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems

Shai-hulud 2.0 campaign features a sophisticated variant capable of stealing credentials and secrets from major cloud platforms and developer services, while automating the backdooring of NPM packages maintained by victims. Its advanced tac

SHA1-Hulud, npm supply chain incident

Snyk identified a new supply chain attack in the npm ecosystem, referred to as SHA1-Hulud. We believe this is a second wave of the Shai-Hulud attack. Learn what this attack is and how Snyk is responding.

Shai-Hulud 2.0 Supply Chain Attack: 25K+ Repos Exposing Secrets

Detect and mitigate malicious npm packages linked to the recent Shai-Hulud-style campaign. Over 25,000 affected repositories across ~350 unique users.

Return of the Shai-Hulud worm affects over 25,000 GitHub repositories

A newly evolved variant of the Shai-Hulud supply-chain worm is rapidly spreading through backdoored NPM packages, compromising nearly 1,000 packages and leaking credentials from more than 25,000 GitHub repositories since November 24, 2025.

Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware

Detect and mitigate a critical supply chain compromise affecting over 100+ packages, organizations should act urgently.

Miasma: Red Hat Cloud Services npm Packages Hit by a Mini Shai-Hulud-Style Campaign

On June 1, 2026, multiple npm packages in the @redhat-cloud-services scope were published with malicious versions. Each tarball ships a 4.1 MB obfuscated JavaScript file added to package.json as a preinstall hook. The hook runs a multi-stag

Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware

Detect and mitigate malicious npm packages linked to the recent Shai-Hulud-style campaign - Mini Shai Hulud.

The Axios npm compromise was visible in registry metadata before anyone ran npm install

submitted by /u/GapLimp8396 [link] [comments]

Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in binding.gyp

A new npm worm is abusing binding.gyp to trigger node-gyp during install, letting malicious packages run code without lifecycle scripts. It steals credentials, persists in GitHub, and self-propagates across maintainers.

Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign

In this article Attack chain overview Mitigation and protection guidance Learn more Microsoft Threat Intelligence identified a large-scale npm supply chain attack affecting 32 maliciously modified packages across more than 90 versions under

The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2)

Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more. The post The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) appeared first on Un

Miasma supply chain attack: malicious code found in @redhat-cloud-services npm packages

A supply chain worm dubbed Miasma has been found in dozens of @redhat-cloud-services npm releases. The malicious preinstall hook steals credentials, probes cloud identities, and can republish other packages.

Malicious npm packages abuse dependency confusion to profile developer environments

In this article Attack chain overview Threat actor attribution Mitigation and protection guidance Indicators of Compromise (IOC) References Learn more Microsoft Threat Intelligence has uncovered an active supply chain attack involving malic

Malicious npm packages abuse dependency confusion to profile developer environments

In this article Attack chain overview Threat actor attribution Mitigation and protection guidance Indicators of Compromise (IOC) References Learn more Microsoft Threat Intelligence has uncovered an active supply chain attack involving malic

Typosquatted npm packages used to steal cloud and CI/CD secrets

In this article Attack chain overview The lure: typosquats and spoofed metadata Execution: npm lifecycle hook abuse Gen-1 stager: HTTP C2 beacon and payload drop Gen-2 stager: abusing the legitimate Bun runtime as a loader Credential theft

Typosquatted npm packages used to steal cloud and CI/CD secrets

In this article Attack chain overview The lure: typosquats and spoofed metadata Execution: npm lifecycle hook abuse Gen-1 stager: HTTP C2 beacon and payload drop Gen-2 stager: abusing the legitimate Bun runtime as a loader Credential theft

Download pumping: New npm deception technique for supply chain attacks

Learn how attackers exploit automated bot traffic as part of software supply chain attacks to artificially inflate download counters and mask malicious payloads as legitimate. Key takeaways Volume doesn't equal trust. Packages with nu

Malicious node-ipc versions published to npm in suspected maintainer account compromise

On May 14, 2026, multiple malicious versions of the popular npm package node-ipc were published to the npm registry. Current public reporting identifies node...

PhantomRaven Wave 5: New Undocumented NPM Supply Chain Campaign Targets DeFi, Cloud, and AI Developers

Mend.io's security research team has identified a previously undocumented fifth wave of the PhantomRaven campaign, an ongoing NPM supply chain attack that has been stealing developer credentials and secrets since August 2025. This new wave

Tradecraft Tuesday Recap: axios npm Supply Chain Compromise

A few weeks after the major axios npm supply chain attack, a group of researchers from Huntress, Wiz, and Aikido Security debriefed on the compromise's lasting impacts.

Supply Chain Compromise of axios npm Package

An NPM supply chain attack struck the ubiquitous open-source axios library and Huntress has observed over a hundred affected devices.

Axios NPM Distribution Compromised in Supply Chain Attack

A compromised axios maintainer account led to malicious npm releases that propagated across environments. Learn how to assess impact, detect compromise, and secure your development workflows.

Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client with 100M+ Weekly Downloads

A supply chain attack hit Axios when attackers used stolen npm credentials to publish malicious versions containing a phantom dependency. This triggered a cross-platform RAT during installation and replaced its files with clean decoys, maki

Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT

Meta description: Malicious versions of the Axios npm package (1.14.1 and 0.30.4) were published via a compromised maintainer account, injecting a hidden dependency that deploys a cross-platform remote access trojan. Here's what happened, w

Automated Package-Publication Incident IndonesianFoods in the NPM Ecosystem Linked to Crypto Reward-Farming Scam

In November 2025, a large-scale surge of package publications on the NPM registry with similar structures and naming patterns was discovered. Understand the details of the incident.

Phishing Campaign Leveraging the NPM Ecosystem

A new phishing campaign weaponizes NPM and the unpkg CDN. Over 175 throwaway packages are used to host scripts that redirect users to credential-harvesting sites. The attack targets enterprise employees through the browser, not developers a

Malicious MCP Server on npm postmark-mcp Harvests Emails

Urgent security alert: On September 25, 2025, the npm package 'postmark-mcp' was compromised, secretly exfiltrating email contents. Learn about the incident timeline, impact, and immediate mitigation steps, including uninstalling, rotating

What We Know About the NPM Supply Chain Attack

Trend™ Research outlines the critical details behind the ongoing NPM supply chain attack and offers essential steps to stay protected against potential compromise.

Zero-day Extensive NPM Package Compromise - Shai Hulud Supply Chain Attack

A supply chain attack hit the ngx-bootstrap npm package, embedding malware to steal developer credentials. See affected versions (e.g., 20.0.4-6, 19.0.3) and our playbook to contain the threat and rotate compromised secrets.

Widespread npm Supply Chain Attack: Breaking Down Impact & Scope Across Debug, Chalk, and Beyond

A deeper look at the npm debug/chalk supply-chain incident: deobfuscating the wallet-hijacking browser interceptor, quantifying the ~2-hour exposure with Wiz telemetry (~99% package prevalence, ~10% malware presence), and unpacking what mad

npm Supply Chain Attack via Open Source maintainer compromise

On Monday, September 8th, a highly regarded open source developer, ~qix, was compromised via a phishing email.

Maintainers of ESLint Prettier Plugin Attacked via npm Supply Chain Malware

Urgent warning: Maintainers of popular npm packages like ESLint Prettier Plugin were attacked via an npm supply chain malware incident. Learn about the typosquatting, phishing, and impacted packages, plus essential steps to protect your pro

Best Practices for Creating a Modern npm Package with Security in Mind

In this tutorial, we're going to walk step by step through creating an npm package using modern best practices (as of 2022).

Lottie Player npm package compromised for crypto wallet theft

On October 31st, 2024, another package compromise and cryptocurrency hijack story unfolded for a popular npm package. Scan open source dependencies and container images in the CLI or your SCM with Snyk to determine if you're using one of th