git-branch-selector npm package carried Shai-Hulud

git-branch-selector sat directly in the developer-tooling lane Shai-Hulud liked to abuse. JFrog listed five affected npm releases, all under the git-branch-selector package name, during the May 11-12 TeamPCP wave.

The package's purpose made the compromise more than a random registry hit. A tool used around Git workflows is likely to run on machines with repository access, SSH keys, GitHub tokens, npm credentials, and local configuration files. Those are the same assets the Shai-Hulud payload family was built to collect and turn into new publishing opportunities.

This record scopes that risk to the official npm distribution surface. The campaign page explains the shared loader, infrastructure, and propagation behavior; this page keeps the exact package name, version list, and registry URLs available for concrete exposure checks.

The response question is whether git-branch-selector appeared in a lockfile, build cache, CI job, or developer install during the affected window. Any hit should be handled as a possible credential-theft event, even if no production service imported the package.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

Actor

TeamPCP

• Minimal campaign-linked record created to keep Shai-Hulud package evidence scoped by vendor, organization, maintainer account, or package distribution surface.

• Shai-Hulud: Here We Go Again - Worm by TeamPCP Hits NPM and PyPIresearch.jfrog.com