git-git-git npm package carried Shai-Hulud

git-git-git was another small but relevant developer-tooling package in the May 2026 Shai-Hulud wave. JFrog listed five affected npm releases under the git-git-git name, all tied to the same TeamPCP campaign window.

The package name points at the risk. Tools that wrap or assist Git activity often run on workstations and CI hosts with repository access, SSH keys, GitHub credentials, npm tokens, and cloud configuration nearby. Shai-Hulud's install-time payload was designed to harvest that environment and use any publishing authority it found.

This record keeps git-git-git separate from the larger campaign count because defenders need package-granular evidence. The campaign page carries the common malware behavior and propagation model; this page preserves the artifact names, versions, dates, and npm locations.

A matching install should trigger a host-centered investigation. The important question is not whether the package was part of a production runtime, but whether the affected release executed where credentials were present and where additional packages could be published.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

Actor

TeamPCP

• Minimal campaign-linked record created to keep Shai-Hulud package evidence scoped by vendor, organization, maintainer account, or package distribution surface.

• Shai-Hulud: Here We Go Again - Worm by TeamPCP Hits NPM and PyPIresearch.jfrog.com