DraftLab npm packages carried Shai-Hulud

DraftLab's Shai-Hulud exposure spanned three related npm packages: @draftlab/auth, @draftlab/auth-router, and @draftlab/db. JFrog listed six affected releases across that small package family during the May 11-12 TeamPCP wave.

The grouping is important. A developer who installed one DraftLab component could plausibly install the others in the same project or CI job, putting the malware inside an environment already handling authentication and database integration. Shai-Hulud used that kind of install-time access to harvest secrets and search for new package-publishing authority.

This record keeps the DraftLab namespace as its own trust boundary. The campaign page carries the shared TeamPCP mechanics; this page preserves the exact package names, affected releases, registry distribution paths, and response window needed for inventory searches.

Defenders should treat the listed packages as exposure indicators, not just vulnerable dependencies. A match in a build log, package cache, or lockfile means the install environment deserves credential rotation and a review of any packages it could publish during or after the compromise window.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

Actor

TeamPCP

• Minimal campaign-linked record created to keep Shai-Hulud package evidence scoped by vendor, organization, maintainer account, or package distribution surface.

• Shai-Hulud: Here We Go Again - Worm by TeamPCP Hits NPM and PyPIresearch.jfrog.com