Tally UI npm packages carried Shai-Hulud

Tally UI was a multi-package namespace compromise in the May 2026 Shai-Hulud wave. JFrog listed ten affected @tallyui/* packages and thirty affected versions, spanning core components, database code, point-of-sale modules, and connectors for commerce platforms.

The package mix made the risk broader than one dependency. Connector and platform packages often live in projects with API keys, deployment tokens, database access, and CI secrets. Shai-Hulud used the install-time position to harvest that material and, when possible, republish more infected packages from the victim environment.

This page keeps the Tally UI namespace as its own distribution boundary. The campaign record carries the shared TeamPCP loader, infrastructure, and propagation behavior; this record preserves the exact package list, affected versions, registry paths, and May 11-12 exposure window.

For responders, the package family is the search unit. Lockfiles, caches, private mirrors, build images, and CI logs should be checked for every affected @tallyui/* release, with credential rotation prioritized for systems that had publishing or deployment authority.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

Actor

TeamPCP

• Minimal campaign-linked record created to keep Shai-Hulud package evidence scoped by vendor, organization, maintainer account, or package distribution surface.

• Shai-Hulud: Here We Go Again - Worm by TeamPCP Hits NPM and PyPIresearch.jfrog.com