opensearch-js

Incident Summary

OpenSearch npm prereleases compromised

The Mini Shai-Hulud campaign reached OpenSearch when four prerelease versions of the official @opensearch-project/opensearch npm package were published with malicious payloads. The advisory maps the release window to May 11, 2026 EDT, or May 12 UTC, and recommends immediate removal of affected prereleases. The impact followed the broader worm pattern, with install-time credential theft risk and potential propagation through stolen developer and publishing tokens.

Date: 2026-05-12
Category: Open Source
Target Surface: Package registry
Insertion Phase: CI/CD
Impact: Credential theft
Cause: CI/CD Exploit

What Was Affected

Package opensearch-js

LanguageJavaScript

ComponentLibrary

Artifact typesource archive

Domain typepackage host

Domain npmjs.com

Repository github.com/opensearch-project/opensearch-js

Compromised Versions

Incident Context

Motive: Credential Theft
Attribution: TeamPCP
Campaign: TeamPCP 2026 Package Compromise Campaign, Shai-Hulud hits NPM and PyPI
Transitive: Yes
User Impact: 0
Observed Duration: 0 days

OpenSearch npm prereleases compromised

What Was Affected

Compromised Versions

Incident Context

Evidence

Compromised Artifacts

Current Artifacts and Analysis

External References

Source Data