The latest series of attacks using the notorious Shai-Hulud worm puts into sharp focus the threats facing software developers and their CI/CD pipelines, an issue that has been raised in recent months as bad actors increasingly turn their attention to DevOps environments.
That said, these most recent Shai-Hulud incidents attributed to the TeamPCP group also reflect the trend toward abusing trust, a key point given the extensive connectivity between corporate ecosystems and development platforms.
“Shai-Hulud should be understood less as a one-off package compromise and more as an evolving supply-chain playbook,” said Jonathan Stross, SAP security analyst at Pathlock.
Earlier waves of Shai-Hulud attacks in 2025 and this year focused on stealing developer and maintainer credentials and using them to publish more malicious packages. In the latest incidents – referred to as “Mini Shai-Hulud” – the threat group abused trusted CI/CD publishing paths and OpenID Connect (OIDC) tokens, meaning that malicious package versions still carried valid provenance attestations.
“In other words, some of the signals defenders increasingly rely on to establish trust were present, even though the package content was malicious,” Stross said.
Chuck Randolph, senior vice president for strategic intelligence and security at 360 Privacy, said organizations, their development teams, and code repositories need to recognize and prepare for such campaigns, which build on the trend over the past several years to abuse identities.
“Modern attacks increasingly exploit trust rather than simply targeting vulnerabilities,” Randolph said. “Whether it is software ecosystems, digital identities, or interconnected platforms, adversaries are learning to weaponize trusted relationships to gain speed, scale, and operational access.”
Broad Exposure
What organizations need to take away from all this is that “the attack surface is no longer limited to a single system or user,” he added. “Exposure now exists across entire ecosystems, where one compromised relationship, credential, or trusted platform can create cascading downstream effects. The broader lesson is that digital exposure and operational risk are becoming increasingly interconnected.”
Researchers with a number of security firms, including Endor Labs, Aikido, Socket, and StepSecurity, wrote reports in recent days outlining the latest round of attacks that involve compromised npm and PyPI packages from a range of companies, including Mistral AI, Guardrails AI, TanStack, and UiPath.
TeamPCP emerged last year, targeting cloud-native environments with automated supply-chain attacks that plant malware into software updates that infect organizations that download them. In this campaign, the threat actors acquired broad permission in GitHub Actions workflows and made their payload appear to be an initialization module.
Stealing Credentials and Secrets
An obfuscated JavaScript file planted in the npm packages looks for secret files and SSH keys and steals credentials – including security keys and passwords – and targets high-profile cloud players like Google Cloud Platform, Amazon Web Services, HashiCorp Vault, and Kubernetes, as well as AI tools, messaging apps, and cryptocurrency wallets.
In line with other TeamPCP attacks, the malware creates a ransom note and threatens to wipe the computer of its data if the victim tries to revoke the compromised access.
Jason Soroko, Senior Fellow at Sectigo, noted that the “latest wave adopts a stealthier execution model. By bundling a JavaScript payload within the package tarball and utilizing an optional GitHub dependency to trigger execution via the Bun runtime, the attackers bypass traditional static scanning.”
Same Goals, Bigger Scale
Aikido security researcher Raphael Silva wrote in a report that the vendor’s malware team detected 737 malicious package-version entries across 169 npm package names. The campaign echoes another one involving Shai-Hulud last month that targeted SAP packages.
“The basic goal is still the same: steal credentials from developer machines and CI/CD runners, then use those credentials to reach more packages,” Silva wrote. “What changed is the scale and the release path. This wave does not just look like someone manually publishing bad versions. The malware is built to run inside build systems, steal npm and GitHub access, and abuse trusted publishing paths to push new compromised packages. … This is the follow-up: the same idea, but with a much bigger blast radius.”
‘The Worm is Iterating’
Peyton Kennedy, security researcher with Endor Labs, wrote that Mini Shai-Hulud is not only getting larger, but also more technically sophisticated with each campaign. For example, the four SAP packages in two weeks became 84 TanStack packages and the static-token and OIDC branch-push vectors in the SAP campaign now include “a new orphaned-commit-through-a-fork technique that bypasses branch protection rules while still yielding a legitimate OIDC-derived publish token,” Kennedy wrote.
“The underlying truth of this campaign arc remains unchanged: provenance tells you where a package was built, not whether the build was authorized,” he wrote. “OIDC trusted publishing removes the need for long-lived tokens, but introduces a new trust surface — the scope of what workflows and commits can request those tokens. Narrowing that scope to the minimum required is the control that closes this class of attack.”
“The worm is iterating. Defenders need to as well,” Kennedy wrote.
