Open Source 2026-05-11 · 1 day ·Credential Theft, Self Propagation

BeProduct npm package carried Shai-Hulud

Part of the Shai-Hulud hits npm and PyPI campaign

JFrog listed 1 BeProduct npm package in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.

Story

BeProduct entered the May 2026 Shai-Hulud wave through one package with a long version trail. JFrog listed eighteen affected releases of @beproduct/nestjs-auth, all under the BeProduct npm namespace, making the package a compact but high-friction cleanup problem for teams that pinned older 0.1.x builds.

The value of the compromise was proximity. Authentication helper packages run in projects that already handle secrets, identity flows, and deployment credentials. In the Shai-Hulud model, an install on a developer machine or CI runner gave the payload a chance to harvest tokens and use any available publishing authority to seed more packages.

This record keeps the BeProduct artifact separate from the campaign rollup because exposure is package-specific. The campaign page carries TeamPCP's shared loader, credential-theft behavior, and propagation logic; this page preserves the exact package name, release list, registry paths, and May 11-12 window.

The practical response is to look for every affected @beproduct/nestjs-auth version in lockfiles, package caches, CI images, and artifact mirrors. Any environment that installed one of those releases should be treated as a credential-exposure point, even if the application using the package never reached production.

Affected Artifacts

Incident Context

Motive
Credential Theft
Attribution
Group
Cause
Compromised Account Credentials
Transitive
Yes
Actor
TeamPCP

Notes

  • Minimal campaign-linked record created to keep Shai-Hulud package evidence scoped by vendor, organization, maintainer account, or package distribution surface.

External References

Source record: oss/attacks/shai-hulud-beproduct-npm/meta.yaml