wot-api npm package carried Shai-Hulud

wot-api was a single-package entry in TeamPCP's May 2026 Shai-Hulud wave. JFrog listed four affected npm releases under the wot-api package name during the May 11-12 exposure window.

The compromise followed the campaign's registry-first model. A normal package install was enough to create risk if it ran in a developer shell, CI runner, or build container with tokens and configuration nearby. The malware's value came from harvesting those credentials and using them to publish additional infected packages.

This record keeps wot-api separate from the larger campaign rollup because package-level evidence is what defenders can search. The campaign page explains the shared TeamPCP loader, infrastructure, and propagation behavior; this page preserves the affected versions and npm distribution paths.

Cleanup should follow every place the affected wot-api releases resolved: lockfiles, caches, package mirrors, build images, and CI logs. Any matching environment should be reviewed for credential theft and downstream publishing activity before it is trusted again.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

Actor

TeamPCP

• Minimal campaign-linked record created to keep Shai-Hulud package evidence scoped by vendor, organization, maintainer account, or package distribution surface.

• Shai-Hulud: Here We Go Again - Worm by TeamPCP Hits NPM and PyPIresearch.jfrog.com