- More than 600 malicious npm packages were published in a coordinated supply‑chain attack linked to TeamPCP’s Shai‑Hulud campaign
- The attackers compromised ecosystems including TanStack, Mistral, and antv, introducing infostealers and persistence mechanisms in developer environments
- Developers are advised to roll back to safe versions released before May 18 and rotate any exposed credentials
Cybercriminals published more than 600 malicious packages to the npm registry in a coordinated software supply-chain attack linked to the Shai-Hulud campaign.
Multiple security organizations, including Socket, confirmed that on May 19 2026, in just one hour, malicious actors managed to publish 639 versions of 323 unique packages on npm, targeting software developers, open-source maintainers, organizations running CI/CD pipelines, and everyone else who downloaded, or depends, on the compromised npm packages.
Shai-Hulud is a malware campaign conducted by a threat actor known as TeamPCP. By stealing login credentials and access tokens, the miscreants access legitimate packages and update them to push infostealer malware, grabbing credentials, and compromising CI/CD environments.
Major downstream risk
So far, TeamPCP compromised an undisclosed number of npm packages, but we know that at least some of them are from TanStack-related and Mistral-related ecosystems - with OpenAI one of the companies that confirmed suffering exposure as a result of the Shai-Hulud campaign.
In the latest attack, the threat actors targeted the antv ecosystem, into which thousands of GitHub repositories were later automatically created using stolen credentials. The campaign also introduced fake-looking package provenance signatures and new persistence mechanisms targeting VS Code and Claude Code environments.
The report does not say how many times the malicious package versions were actually downloaded, but it does stress the normal popularity of some affected packages. For example, the jest-canvas-mock package gets around 10 million monthly downloads, which suggests that the attack surface is extremely large.
Security researchers stressed that the full impact of the campaign is not yet known, mostly because we don’t know the number of downstream infections. However, supply-chain attacks like this one can be particularly dangerous, as just one compromised maintainer account can affect thousands of projects through automated package updates.
Developers who downloaded infected packages should remove or roll back to safe versions published before May 18, as well as rotate any potentially exposed credentials.
Via BleepingComputer
