Mini Shai-Hulud worm hijacks 323 npm packages under 30 minutes through a single stolen account

On May 19, the Mini Shai-Hulud worm compromised one npm maintainer account and pushed 639 malicious versions across 323 packages in under 30 minutes.

The compromised account, “atool” (i@hust.cc), publishes Alibaba’s entire @antv data visualization stack alongside standalone libraries used in crypto dashboards, DeFi front ends, and fintech applications.

The highest-traffic targets: size-sensor at 4.2 million weekly downloads, echarts-for-react at 1.1 million, @antv/scale at 2.2 million, and timeago.js at 1.15 million.

Projects using semver ranges like ^3.0.6 for echarts-for-react auto-resolved to the malicious version 3.2.7 on the next clean install. The maintainer closed GitHub security warnings within an hour, burying them in closed issues.

What the payload steals and how it persists

The malware harvests more than 20 credential types: AWS keys via EC2 and ECS metadata, Google Cloud and Azure tokens, GitHub and npm tokens, SSH keys, Kubernetes service accounts, HashiCorp Vault secrets, Stripe API keys, database connection strings, and local password vaults from 1Password and Bitwarden, per Socket.dev.

Exfiltration runs through two channels. Stolen credentials are encrypted with AES-256-GCM and sent to a command-and-control server.

As a fallback, the worm uses compromised GitHub tokens to create public repositories with Dune-themed names like sardaukar-melange-742 or fremen-sandworm-315, then commits the stolen data as files. StepSecurity reported over 2,500 GitHub repositories already contain indicators tied to the campaign.

Additionally, the worm uses encryption on the stolen data in OpenTelemetry traces transferred via HTTPS. On Linux-based machines, it sets up a systemd user service which is capable of fetching instructions from GitHub even after the package has been removed.

The worm modifies .vscode and .claude configuration files to ensure reactivation in development environments.

The campaign keeps growing

This is the third wave. As Cryptopolitan reported in January, the original Shai-Hulud variant hit Trust Wallet’s npm packages and caused $8.5 million in losses. The second wave struck Mistral AI, TanStack, UiPath, and Guardrails AI on May 11.

Socket has been able to identify 1,055 compromised versions in total within 502 distinct packages through npm, PyPI, and Composer.

The threat group behind the campaign, TeamPCP, has promoted its tooling on underground hacking forums, according to Datadog researchers. Copycat versions have emerged that use different command-and-control servers, making attribution difficult.

SlowMist CEO 23pds said any environment that installed affected versions should be treated as fully compromised.

Some recommended actions include revoking all access tokens, rotating credentials for AWS, GitHub, npm, and cloud providers, implementing multi-factor authentication for account publishing, and reviewing any suspicious activity within repositories.

If you're reading this, you’re already ahead. Stay there with our newsletter.