OpenSearch prereleases carried Shai-Hulud

The OpenSearch project disclosed on the evening of May 11, 2026 that four prerelease versions of its official @opensearch-project/opensearch npm client had been published with malicious code as part of the wider Mini Shai-Hulud npm worm. The packages were pulled from npm by 11 p.m. EDT.

In an advisory posted to the seclists oss-sec mailing list, OpenSearch said the affected versions were 3.5.3, 3.6.2, 3.7.0, and 3.8.0. Any machine that installed or executed those packages between 0000 and 0300 UTC on May 12 should be treated as potentially fully compromised, the project said, with all local secrets and keys rotated from another system.

The advisory tied the activity to the broader Mini Shai-Hulud campaign against npm and CI/CD publishing infrastructure. Researchers at JFrog described the campaign's npm payload as a preinstall-script loader of obfuscated JavaScript that harvests credentials, exfiltrates through multiple redundant channels, and uses stolen access to publish more compromised packages.

OpenSearch said it removed the packages, blocked write permissions on project repositories, and began rotating credentials. This record carries the OpenSearch-specific package versions; the campaign record at [[shai-hulud-here-we-go-again]] carries the cross-package TeamPCP machinery.

Motive

Credential Theft

Attribution

Group

Cause

CI/CD Exploit

Transitive

Yes

Actor

TeamPCP

• Locationmirror: seclists.org/oss-sec/2026/q2/510

• Shai-Hulud: Here We Go Again - Worm by TeamPCP Hits NPM and PyPIresearch.jfrog.com
• TanStack NPM Packages Compromised in Mini Shai-Hulud Supply Chain Attacksocket.dev