Squawk npm packages carried Shai-Hulud

Squawk was one of the broad package-family hits in the May 2026 Shai-Hulud wave. JFrog listed 22 affected @squawk/* npm packages and 110 affected versions, covering data, route, airport, airway, procedure, and utility modules under the same namespace.

That scale made Squawk more than a single bad tarball. A project using one aviation-data package could pull several related packages into the same lockfile or CI job, giving the TeamPCP payload repeated chances to execute in the same trusted environment. The worm's goal was not the package's business logic; it was the credentials and publishing authority around the install.

This record keeps the Squawk namespace separate from the aggregate campaign because responders need the full package family for inventory searches. The campaign page explains the common Shai-Hulud loader, credential theft, and self-propagation path; this page preserves the package names, version lists, registry URLs, and May 11-12 window.

Cleanup should treat the namespace as a cluster. Teams should search lockfiles, npm caches, artifact mirrors, and build logs for every listed @squawk/* release, then rotate credentials for any environment that installed them and review package publications made from those systems.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

Actor

TeamPCP

• Minimal campaign-linked record created to keep Shai-Hulud package evidence scoped by vendor, organization, maintainer account, or package distribution surface.

• Shai-Hulud: Here We Go Again - Worm by TeamPCP Hits NPM and PyPIresearch.jfrog.com