ts-dna npm package carried Shai-Hulud

ts-dna was a single-package entry in the May 2026 Shai-Hulud wave. JFrog listed five affected npm releases under the ts-dna name, all tied to the campaign's May 11-12 publishing window.

The package's importance is not measured by its size. Shai-Hulud used registry trust and install-time execution to reach developer machines and CI runners, then searched those environments for npm tokens, GitHub credentials, cloud material, and other secrets that could help it propagate.

This record separates ts-dna from the campaign aggregate so responders have a precise dependency indicator. The campaign page explains the common loader, infrastructure, and TeamPCP behavior; this page keeps the package name, versions, dates, and registry URLs attached to one distribution surface.

Any matching install should be treated as credential exposure until proven otherwise. The relevant evidence may live in lockfiles, npm caches, build logs, private mirrors, or CI images rather than in deployed production code.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

Actor

TeamPCP

• Minimal campaign-linked record created to keep Shai-Hulud package evidence scoped by vendor, organization, maintainer account, or package distribution surface.

• Shai-Hulud: Here We Go Again - Worm by TeamPCP Hits NPM and PyPIresearch.jfrog.com