Mini Shai Hulud supply chain incidents
Smaller copycat campaigns reusing parts of the Shai-Hulud playbook (credential-stealing install scripts and token-based republication) against npm packages, at a more limited scale than the original worm.
Also tracked as: Mini Shai-Hulud, Mini-Shai-Hulud
7 confirmed incidents publicly associated with this group. Attribution reflects what the cited sources state; it is recorded for filtering, not asserted by this site.
- activehigh
Miasma: Supply Chain Attack Targeting RedHat npm Packages
Miasma is a supply chain attack targeting RedHat npm packages, leveraging malicious npm packages based on the open-sourced Mini Shai-Hulud malware. Specific affected packages and versions were not disclosed in the available source text.
Mini Shai HuludnpmCompromised package - activecritical
Shai-Hulud: Here We Go Again. Mass npm Supply Chain Attack Hits the AntV Ecosystem
A new wave of the Mini Shai-Hulud worm has compromised multiple npm packages across Alibaba's AntV data visualization ecosystem, including echarts-for-react and timeago.js. Stolen CI/CD secrets are being exfiltrated and dumped to thousands of public GitHub repositories as the attack spreads.
Mini Shai HuludnpmOtherCompromised packageAccount takeover - activehigh
Mini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised
A supply chain campaign called "Mini Shai-Hulud" has compromised multiple npm packages, including high-value TanStack developer tooling. The campaign appears to be an ongoing effort targeting critical npm infrastructure.
Mini Shai HuludnpmCompromised package - activecritical
TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages
The Mini Shai-Hulud worm is actively compromising legitimate npm packages by hijacking CI/CD pipelines and stealing developer secrets. The attack was first detected by StepSecurity in official @tanstack packages and is spreading across the npm ecosystem in real time.
TeamPCPMini Shai HuludnpmOtherCompromised packageBuild-system compromise - activehigh
A Mini Shai-Hulud Has Appeared: Obfuscated Bun Runtime Payloads Hit SAP-Related npm Packages
StepSecurity identified an npm supply chain attack campaign targeting SAP-ecosystem packages using preinstall hooks to download and execute an obfuscated Bun runtime payload. At least two SAP-related npm packages have been confirmed compromised in this active campaign.
Mini Shai HuludnpmCompromised package - containedhigh
lightning: Obfuscated JavaScript Credential Stealer Bundled in PyPI Wheel
The lightning PyPI package versions 2.6.2 and 2.6.3 were compromised on April 30, 2026, containing obfuscated JavaScript code designed to steal credentials. The project's GitHub account showed signs of compromise, with suspicious responses closing vulnerability reports.
Mini Shai HuludPyPICompromised packageMalicious maintainer - activehigh
Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware
A supply chain campaign dubbed "Mini Shai Hulud" targeted SAP npm packages with malicious versions containing credential-stealing malware. The campaign follows patterns similar to previous Shai-Hulud attacks.
Mini Shai HuludShai-HuludnpmCompromised packageMalicious commit