cross-stitch npm package carried Shai-Hulud

The cross-stitch package was not the largest Shai-Hulud victim, but it shows the campaign's basic economics. JFrog listed five affected npm releases under the cross-stitch name, giving TeamPCP another trusted registry object that could execute during a normal install.

Shai-Hulud did not rely on a vulnerable application path. It relied on where package installation happens. If cross-stitch installed on a developer workstation, CI runner, or automation host, the payload could search for credentials and publishing tokens in the same environment that maintains other packages.

This page keeps the package-level evidence out of the campaign aggregate. The broader [[shai-hulud-here-we-go-again]] record carries the shared worm mechanics, including credential theft and republishing. This record preserves the package name, affected versions, npm distribution URLs, and the May 11-12 exposure window.

The response is correspondingly concrete: find every install or cache hit for the affected cross-stitch versions, then rotate credentials associated with those machines from a clean system. A small package can still become a propagation point if it lands in a privileged publishing environment.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

Actor

TeamPCP

• Minimal campaign-linked record created to keep Shai-Hulud package evidence scoped by vendor, organization, maintainer account, or package distribution surface.

• Shai-Hulud: Here We Go Again - Worm by TeamPCP Hits NPM and PyPIresearch.jfrog.com