Shai-Hulud hits npm and PyPI
Shai-Hulud: Here We Go Again was a May 2026 TeamPCP campaign affecting roughly 169 to 170+ npm package names, plus 2 PyPI packages, with combined reported download volume above 200 million per week.
Story
A self-spreading npm worm researchers dubbed "Mini Shai-Hulud" tore through more than 170 JavaScript packages and at least two Python packages over eight days in May 2026, in what JFrog, Aikido, Socket, and StepSecurity described as a second major outing for a TeamPCP-linked operation that first surfaced under the Shai-Hulud name in late 2025.
Researchers said the campaign was aimed at package publishers themselves rather than at any single project. JFrog reported more than 170 npm packages and two PyPI packages. Aikido counted 373 malicious package- version entries across 169 npm names as the list was refined over several days.
The npm payload imported @tanstack/setup as a GitHub-sourced dependency, rewrote package metadata, bumped versions, and republished infected tarballs using stolen npm tokens. Inside GitHub Actions runners, researchers said it could also abuse OIDC trusted publishing to mint a fresh npm publish token under a legitimate workflow identity — a step that earlier worms had not reached.
The malware daemonized after install so the package manager could return a successful exit while harvesting continued in the background. Its value was in recursion: any package install in a privileged developer or CI environment could leak tokens, enumerate more publishable packages, and seed the next wave.
High-value scopes — including TanStack, Mistral, UiPath, OpenSearch prereleases, and Guardrails — are recorded separately where the package evidence is precise. This campaign record holds the moving aggregate and the common mechanics.
Linked Attacks
2026
TeamPCP published malicious durabletask 1.4.1, 1.4.2, and 1.4.3 to PyPI with a stolen token, bypassing Microsoft's CI/CD path. The dropper fetched rope.pyz to harvest cloud and password-manager credentials, spread via AWS SSM and kubectl, and conditionally wiped disks.
On 2026-05-19, TeamPCP took the shared `atool` npm account and published 639 malicious versions across 323 packages — most of the @antv ecosystem and a long tail of standalone neighbors. The bun-based dropper harvested CI/CD secrets and self-propagated via npm.
A compromised contributor published Nx Console 18.95.0 to the VS Code Marketplace and OpenVSX on 2026-05-18. The malicious build fetched an obfuscated payload that harvested Vault, npm, AWS, GitHub, 1Password, and SSH credentials and installed a Python LaunchAgent on macOS.
TeamPCP re-pointed all 53 issues-helper tags and all 15 maintain-one-comment tags to a single dangling imposter commit on 2026-05-18. The injected step downloaded Bun, scraped Runner.Worker memory for masked secrets, and exfiltrated them to t.m-kosche.com.
Mistral's PyPI SDK and npm SDK packages appeared in the May 2026 Shai-Hulud wave. The affected releases carried campaign loaders through official package distribution paths.
JFrog listed 1 wot-api npm package in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 1 ts-dna npm package in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
TeamPCP's Mini Shai-Hulud worm compromised the TanStack Router release pipeline by chaining a pull_request_target "Pwn Request" pattern, GitHub Actions cache poisoning, and runtime extraction of a GitHub Actions OIDC trusted-publisher token from runner memory.
JFrog listed 1 safe-action npm package in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
Four @opensearch-project/opensearch prereleases were published with Mini Shai-Hulud malware. OpenSearch removed them and blocked repository writes during credential rotation.
JFrog listed 1 nextmove-mcp npm package in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 1 guardrails-ai PyPI package in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 1 git-git-git npm package in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 1 git-branch-selector npm package in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 1 cross-stitch npm package in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 1 cmux-agent-mcp npm package in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 1 agentwork-cli npm package in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 66 UiPath npm packages in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 1 Tolka npm package in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 1 Taskflow Corp npm package in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 10 Tally UI npm packages in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 2 SuperSurkhet npm packages in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 22 Squawk npm packages in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 3 MesaDev npm packages in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 3 ML Toolkit TS npm packages in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 3 DraftLab npm packages in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 2 DraftAuth npm packages in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 1 Dirigible AI npm package in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
JFrog listed 1 BeProduct npm package in the May 2026 Shai-Hulud wave. This record scopes those artifacts to their own official distribution surface.
Campaign Context
- Actor
- TeamPCP
- Attribution
- Group
- Cause
- Unknown
- User Impact
- 200000000
Affected Packages
- @beproduct/nestjs-auth 0.1.18, 0.1.19, 0.1.17, +5
- @dirigible-ai/sdk 0.6.3, 0.6.2
- @draftauth/client 0.2.2, 0.2.1
- @draftauth/core 0.13.1, 0.13.2
- @draftlab/auth 0.24.2, 0.24.1
- @draftlab/auth-router 0.5.1, 0.5.2
- @draftlab/db 0.16.2, 0.16.1
- @ml-toolkit-ts/preprocessing 1.0.2, 1.0.3
- @ml-toolkit-ts/xgboost 1.0.3, 1.0.4
- ml-toolkit-ts 1.0.5, 1.0.4
- @mesadev/rest 0.28.3
- @mesadev/saguaro 0.4.22
- @mesadev/sdk 0.28.3
- @squawk/airport-data 0.7.8, 0.7.7, 0.7.6, +2
- @squawk/airports 0.6.6, 0.6.5, 0.6.4, +2
- @squawk/airspace 0.8.5, 0.8.3, 0.8.4, +2
- @squawk/airspace-data 0.5.7, 0.5.5, 0.5.6, +2
- @squawk/airway-data 0.5.8, 0.5.7, 0.5.6, +2
- @squawk/airways 0.4.6, 0.4.4, 0.4.5, +2
- @squawk/fix-data 0.6.8, 0.6.7, 0.6.6, +2
- @squawk/fixes 0.3.6, 0.3.5, 0.3.4, +2
- @squawk/flight-math 0.5.8, 0.5.7, 0.5.6, +2
- @squawk/flightplan 0.5.6, 0.5.5, 0.5.4, +2
- @squawk/geo 0.4.8, 0.4.7, 0.4.6, +2
- @squawk/icao-registry 0.5.6, 0.5.5, 0.5.4, +2
- @squawk/icao-registry-data 0.8.8, 0.8.6, 0.8.7, +2
- @squawk/mcp 0.9.5, 0.9.4, 0.9.3, +2
- @squawk/navaid-data 0.6.8, 0.6.7, 0.6.6, +2
- @squawk/navaids 0.4.6, 0.4.5, 0.4.4, +2
- @squawk/notams 0.3.10, 0.3.9, 0.3.8, +2
- @squawk/procedure-data 0.7.7, 0.7.5, 0.7.6, +2
- @squawk/procedures 0.5.6, 0.5.4, 0.5.5, +2
- @squawk/types 0.8.5, 0.8.3, 0.8.4, +2
- @squawk/units 0.4.7, 0.4.5, 0.4.6, +2
- @squawk/weather 0.5.10, 0.5.8, 0.5.9, +2
- @supersurkhet/cli 0.0.7, 0.0.6, 0.0.5, +3
- @supersurkhet/sdk 0.0.7, 0.0.6, 0.0.5, +3
- @tallyui/components 1.0.3, 1.0.2, 1.0.1
- @tallyui/connector-medusa 1.0.3, 1.0.2, 1.0.1
- @tallyui/connector-shopify 1.0.3, 1.0.2, 1.0.1
- @tallyui/connector-vendure 1.0.3, 1.0.2, 1.0.1
- @tallyui/connector-woocommerce 1.0.3, 1.0.2, 1.0.1
- @tallyui/core 0.2.3, 0.2.2, 0.2.1
- @tallyui/database 1.0.3, 1.0.2, 1.0.1
- @tallyui/pos 0.1.3, 0.1.2, 0.1.1
- @tallyui/storage-sqlite 0.2.3, 0.2.2, 0.2.1
- @tallyui/theme 0.2.3, 0.2.2, 0.2.1
- @taskflow-corp/cli 0.1.29, 0.1.28, 0.1.27, +3
- @tolka/cli 1.0.5, 1.0.6, 1.0.4, +2
- @uipath/access-policy-sdk 0.3.1
- @uipath/access-policy-tool 0.3.1
- @uipath/admin-tool 0.1.1
- @uipath/agent-sdk 1.0.2
- @uipath/agent-tool 1.0.1
- @uipath/agent.sdk 0.0.18
- @uipath/aops-policy-tool 0.3.1
- @uipath/ap-chat 1.5.7
- @uipath/api-workflow-tool 1.0.1
- @uipath/apollo-core 5.9.2
- @uipath/apollo-react 4.24.5
- @uipath/apollo-wind 2.16.2
- @uipath/auth 1.0.1
- @uipath/case-tool 1.0.1
- @uipath/cli 1.0.1
- @uipath/codedagent-tool 1.0.1
- @uipath/codedagents-tool 0.1.12
- @uipath/codedapp-tool 1.0.1
- @uipath/common 1.0.1
- @uipath/context-grounding-tool 0.1.1
- @uipath/data-fabric-tool 1.0.2
- @uipath/docsai-tool 1.0.1
- @uipath/filesystem 1.0.1
- @uipath/flow-tool 1.0.2
- @uipath/functions-tool 1.0.1
- @uipath/gov-tool 0.3.1
- @uipath/identity-tool 0.1.1
- @uipath/insights-sdk 1.0.1
- @uipath/insights-tool 1.0.1
- @uipath/integrationservice-sdk 1.0.2
- @uipath/integrationservice-tool 1.0.2
- @uipath/llmgw-tool 1.0.1
- @uipath/maestro-sdk 1.0.1
- @uipath/maestro-tool 1.0.1
- @uipath/orchestrator-tool 1.0.1
- @uipath/packager-tool-apiworkflow 0.0.19
- @uipath/packager-tool-bpmn 0.0.9
- @uipath/packager-tool-case 0.0.9
- @uipath/packager-tool-connector 0.0.19
- @uipath/packager-tool-flow 0.0.19
- @uipath/packager-tool-functions 0.1.1
- @uipath/packager-tool-webapp 1.0.6
- @uipath/packager-tool-workflowc... 0.0.16
- @uipath/packager-tool-workflowc... 0.0.34
- @uipath/platform-tool 1.0.1
- @uipath/project-packager 1.1.16
- @uipath/resource-tool 1.0.1
- @uipath/resourcecatalog-tool 0.1.1
- @uipath/resources-tool 0.1.11
- @uipath/robot 1.3.4
- @uipath/rpa-legacy-tool 1.0.1
- @uipath/rpa-tool 0.9.5
- @uipath/solution-packager 0.0.35
- @uipath/solution-tool 1.0.1
- @uipath/solutionpackager-sdk 1.0.11
- @uipath/solutionpackager-tool-core 0.0.34
- @uipath/tasks-tool 1.0.1
- @uipath/telemetry 0.0.7
- @uipath/test-manager-tool 1.0.2
- @uipath/tool-workflowcompiler 0.0.12
- @uipath/traces-tool 1.0.1
- @uipath/ui-widgets-multi-file-u... 1.0.1
- @uipath/uipath-python-bridge 1.0.1
- @uipath/vertical-solutions-tool 1.0.1
- @uipath/vss 0.1.6
- @uipath/widget.sdk 1.2.3
- agentwork-cli 0.1.4, 0.1.5
- cmux-agent-mcp 0.1.8, 0.1.7, 0.1.6, +3
- cross-stitch 1.1.7, 1.1.5, 1.1.6, +2
- git-branch-selector 1.3.7, 1.3.6, 1.3.5, +2
- git-git-git 1.0.12, 1.0.11, 1.0.10, +2
- guardrails-ai 0.10.1
- nextmove-mcp 0.1.7, 0.1.6, 0.1.5, +2
- @opensearch-project/opensearch 3.5.3, 3.6.2, 3.7.0, +1
- safe-action 0.8.4, 0.8.3
- @tanstack/arktype-adapter 1.166.12, 1.166.15
- @tanstack/eslint-plugin-router 1.161.9, 1.161.12
- @tanstack/eslint-plugin-start 0.0.4, 0.0.7
- @tanstack/history 1.161.9, 1.161.12
- @tanstack/nitro-v2-vite-plugin 1.154.12, 1.154.15
- @tanstack/react-router 1.169.5, 1.169.8
- @tanstack/react-router-devtools 1.166.16, 1.166.19
- @tanstack/react-router-ssr-query 1.166.15, 1.166.18
- @tanstack/react-start 1.167.68, 1.167.71
- @tanstack/react-start-client 1.166.51, 1.166.54
- @tanstack/react-start-rsc 0.0.47, 0.0.50
- @tanstack/react-start-server 1.166.55, 1.166.58
- @tanstack/router-cli 1.166.46, 1.166.49
- @tanstack/router-core 1.169.5, 1.169.8
- @tanstack/router-devtools 1.166.16, 1.166.19
- @tanstack/router-devtools-core 1.167.6, 1.167.9
- @tanstack/router-generator 1.166.45, 1.166.48
- @tanstack/router-plugin 1.167.38, 1.167.41
- @tanstack/router-ssr-query-core 1.168.3, 1.168.6
- @tanstack/router-utils 1.161.11, 1.161.14
- @tanstack/router-vite-plugin 1.166.53, 1.166.56
- @tanstack/solid-router 1.169.5, 1.169.8
- @tanstack/solid-router-devtools 1.166.16, 1.166.19
- @tanstack/solid-router-ssr-query 1.166.15, 1.166.18
- @tanstack/solid-start 1.167.65, 1.167.68
- @tanstack/solid-start-client 1.166.50, 1.166.53
- @tanstack/solid-start-server 1.166.54, 1.166.57
- @tanstack/start-client-core 1.168.5, 1.168.8
- @tanstack/start-fn-stubs 1.161.9, 1.161.12
- @tanstack/start-plugin-core 1.169.23, 1.169.26
- @tanstack/start-server-core 1.167.33, 1.167.36
- @tanstack/start-static-server-f... 1.166.44, 1.166.47
- @tanstack/start-storage-context 1.166.38, 1.166.41
- @tanstack/valibot-adapter 1.166.12, 1.166.15
- @tanstack/virtual-file-routes 1.161.10, 1.161.13
- @tanstack/vue-router 1.169.5, 1.169.8
- @tanstack/vue-router-devtools 1.166.16, 1.166.19
- @tanstack/vue-router-ssr-query 1.166.15, 1.166.18
- @tanstack/vue-start 1.167.61, 1.167.64
- @tanstack/vue-start-client 1.166.46, 1.166.49
- @tanstack/vue-start-server 1.166.50, 1.166.53
- @tanstack/zod-adapter 1.166.12, 1.166.15
- ts-dna 3.0.5, 3.0.4, 3.0.3, +2
- wot-api 0.8.3, 0.8.4, 0.8.2, +1
- mistralai 2.4.6
- @mistralai/mistralai 2.2.4, 2.2.3, 2.2.2
- @mistralai/mistralai-azure 1.7.3, 1.7.1, 1.7.2
- @mistralai/mistralai-gcp 1.7.3, 1.7.1, 1.7.2
- actions-cool/issues-helper
- actions-cool/maintain-one-comment
- nrwl.angular-console 18.95.0
- @antv/*
- echarts-for-react
- timeago.js
- size-sensor
- jest-canvas-mock
- jest-date-mock
- canvas-nest.js
- durabletask 1.4.1, 1.4.2, 1.4.3
Notes
- Aikido reported 373 malicious package-version entries across 169 npm package names on May 12, 2026; JFrog separately reported 170+ npm packages plus 2 PyPI packages. The count shifted as researchers removed false positives and added newly discovered package versions.
- Legacy artifact note: 170+ npm unique packages in JFrog Appendix A, excluding separately tracked @tanstack/* packages
- Legacy artifact note: @uipath/* packages
- Legacy artifact note: @squawk/* packages
- Legacy artifact note: @tallyui/* packages
- Legacy artifact note: @beproduct/nestjs-auth
- Legacy artifact note: @draftlab/* and @draftauth/* packages
- Legacy artifact note: @taskflow-corp/cli and @tolka/cli
- Legacy artifact note: @ml-toolkit-ts/*, @mesadev/*, @dirigible-ai/sdk, and @supersurkhet/* packages
- Legacy artifact note: @mistralai/mistralai@2.2.2, 2.2.3, 2.2.4
- Legacy artifact note: @mistralai/mistralai-azure@1.7.1, 1.7.2, 1.7.3
- Legacy artifact note: @mistralai/mistralai-gcp@1.7.1, 1.7.2, 1.7.3
- Legacy artifact note: @opensearch-project/opensearch prereleases tracked separately
- Legacy artifact note: guardrails-ai@0.10.1
External References
Source record: oss/campaigns/shai-hulud-here-we-go-again/meta.yaml