A large-scale software supply chain attack has forced npm to take unprecedented action, resetting thousands of publishing credentials across its ecosystem. The Mini Shai Hulud npm attack targeted developer accounts and automated pipelines, leveraging stolen tokens to push malicious code into widely used JavaScript packages.
The incident underscores a growing threat to open source ecosystems: attackers no longer need to exploit code—they exploit developer trust and publishing workflows.
Key Details
On May 19, 2026, npm invalidated all granular access tokens capable of bypassing two-factor authentication (2FA), requiring maintainers to regenerate credentials and update CI/CD pipelines.
The move followed a major incident on May 18, when attackers:
- Hijacked the npm account “atool”
- Published 639 malicious versions
- Spread across 323 packages
The attack heavily impacted the @antv ecosystem, including high-profile packages such as:
- echarts-for-react (~1.1M weekly downloads)
- timeago.js
- size-sensor
- canvas-nest.js
Researchers estimate that the campaign compromised over 1,000 package versions across 500+ projects globally.
Technical Analysis
Token Theft as the Core Attack Vector
At the center of the Mini Shai-Hulud campaign is a simple but highly effective strategy:
Steal developer tokens → publish malicious packages → repeat
The worm targets:
- Local developer environments
- CI/CD pipelines
- Secret storage systems
Granular access tokens are especially vulnerable because:
- They can bypass MFA
- They are long-lived
- Often stored in plaintext or environment variables
Once obtained, attackers use these tokens to automatically publish compromised versions of every package tied to the account.
Multi-Stage Supply Chain Compromise
The campaign demonstrated multiple advanced attack techniques:
1. npm Package Poisoning
Attackers injected malicious versions directly into trusted packages, ensuring rapid distribution across the ecosystem.
2. CI/CD Pipeline Exploitation
Workflows such as publish-ci.yml were compromised to push malicious builds.
3. GitHub Actions Cache Poisoning
Attackers manipulated CI caches to insert malicious dependencies.
4. OIDC Token Extraction
Sensitive tokens were extracted in real-time from CI runners, enabling unauthorized publishing actions.
Nx Console and GitHub Breach
The attack extended beyond npm:
- A compromised Nx Console VS Code extension (2.2M installs)
- Published malicious version (active for 18 minutes)
- Used to extract credentials
This led to:
- Unauthorized access to GitHub systems
- Exfiltration of approximately 3,800 internal repositories
The attack was attributed to a group known as TeamPCP.
Worm-Like Propagation
Mini Shai-Hulud behaves like a self-propagating supply chain worm:
- Harvests credentials from infected systems
- Automatically republishes infected packages
- Turns each compromised maintainer into a new infection node
This model allows exponential spread across ecosystems.
Impact and Risks
Who Is Affected
- JavaScript developers using npm packages
- Organizations with CI/CD automation
- Open source maintainers
- Enterprises relying on JS dependencies
Key Risks
- Mass distribution of poisoned packages
- Credential theft across multiple platforms
- Compromise of build pipelines
- Supply chain attacks reaching production environments
Real-World Impact
Some affected packages have millions of weekly downloads, meaning:
- Malicious code can reach thousands of systems within minutes
- Detection may occur too late
- Widespread trust in dependencies is undermined
Expert Recommendations
Immediate Response Actions
- Regenerate all npm tokens and credentials
- Rotate secrets across environments, including:
- GitHub tokens
- Cloud credentials (AWS, Azure, GCP)
- SSH keys
- API keys
Secure Publishing Practices
- Adopt Trusted Publishing (OIDC-based authentication)
- Avoid long-lived tokens where possible
- Remove tokens stored in plaintext or environment variables
Enable Staged Publishing
npm introduced Staged Publishing, a new security control:
- CI publishes enter a staging phase
- Requires manual MFA approval
- Prevents immediate release of compromised updates
This acts as a critical security gate against automated attacks.
Pipeline and Dependency Security
- Scan dependencies with SCA tools
- Monitor CI/CD pipelines for anomalies
- Enforce strict access controls
Industry Context
The Mini Shai-Hulud campaign represents a major evolution in supply chain attacks:
- Shift from code exploitation → pipeline exploitation
- Shift from malware → credential abuse
- Shift from isolated breaches → worm-like propagation
It follows a growing pattern seen in attacks on:
- npm and PyPI ecosystems
- GitHub workflows
- Developer tooling environments
The introduction of features like Staged Publishing signals a new security direction: human verification in automated workflows.
Conclusion
The Mini Shai Hulud npm attack is a wake-up call for the entire software development ecosystem.
By targeting tokens, pipelines, and trust relationships, attackers demonstrated how quickly large-scale compromises can spread through open source infrastructure.
npm’s emergency token reset and new security controls highlight the urgency of adapting to this new threat model—where securing the development pipeline is as critical as securing the code itself.
FAQ SECTION
1) What is the Mini Shai-Hulud attack?
It is a large-scale supply chain attack that steals developer tokens and publishes malicious npm package versions automatically.
2) Why did npm reset tokens?
Because attackers were abusing tokens that bypass 2FA, allowing them to publish malicious packages without detection.
3) What packages were affected?
Hundreds of packages, including echarts-for-react and @tanstack projects, affecting millions of downloads.
4) How does the attack spread?
It infects developer environments, steals credentials, and uses them to publish more infected packages.
5) How can developers protect themselves?
By rotating credentials, enabling MFA, adopting secure publishing methods, and reviewing CI/CD security.
