BeProduct npm package carried Shai-Hulud

BeProduct entered the May 2026 Shai-Hulud wave through one package with a long version trail. JFrog listed eighteen affected releases of @beproduct/nestjs-auth, all under the BeProduct npm namespace, making the package a compact but high-friction cleanup problem for teams that pinned older 0.1.x builds.

The value of the compromise was proximity. Authentication helper packages run in projects that already handle secrets, identity flows, and deployment credentials. In the Shai-Hulud model, an install on a developer machine or CI runner gave the payload a chance to harvest tokens and use any available publishing authority to seed more packages.

This record keeps the BeProduct artifact separate from the campaign rollup because exposure is package-specific. The campaign page carries TeamPCP's shared loader, credential-theft behavior, and propagation logic; this page preserves the exact package name, release list, registry paths, and May 11-12 window.

The practical response is to look for every affected @beproduct/nestjs-auth version in lockfiles, package caches, CI images, and artifact mirrors. Any environment that installed one of those releases should be treated as a credential-exposure point, even if the application using the package never reached production.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

Actor

TeamPCP

• Minimal campaign-linked record created to keep Shai-Hulud package evidence scoped by vendor, organization, maintainer account, or package distribution surface.

• Shai-Hulud: Here We Go Again - Worm by TeamPCP Hits NPM and PyPIresearch.jfrog.com