The Worm in Your Supply Chain: Inside the Shai-Hulud npm Attacks
A self-replicating worm hit 500+ npm and PyPI packages this month — including Red Hat's. It doesn't just poison code; it steals the credentials that let it log in and republish itself everywhere the maintainer has access.
👋 Welcome to Unlocked
Most supply-chain attacks are a smash-and-grab: poison one popular package, wait for downloads, move on. The attack tearing through the open-source world this month is different. It doesn't just infect a package — it logs in.
The worm known as Shai-Hulud steals the credentials of whatever developer or pipeline it lands in, then uses those credentials to enumerate every package that maintainer controls and publish infected versions of all of them. Each victim becomes the launch point for the next wave. It's not a campaign with a beginning and an end. It's a chain reaction.
Starting June 1, new variants ripped through the npm ecosystem and into PyPI, compromising hundreds of packages — including ones published under Red Hat's namespace, and TanStack packages prominent enough to force a public response from OpenAI.
This week we break down how a self-spreading worm turned trusted open-source infrastructure into a credential-harvesting machine — and what actually stops it from reaching your build.
🔑 What Actually Happened
Shai-Hulud first surfaced in 2025. The June 2026 wave — and its "Mini Shai-Hulud" variant — is meaner. After stealing credentials from a single CI/CD pipeline, the worm enumerates every package that account can publish and pushes a malicious version of each, then repeats from any new maintainer account it reaches. It's genuinely self-propagating, the way an email worm was in 2003, except the carrier is your dependency tree.
The payload's goal is credentials. As CISA has warned, it scans for sensitive secrets and targets GitHub tokens and cloud API keys across AWS, GCP, and Azure — plus npm, HashiCorp Vault, and Kubernetes — exactly the keys that grant access to production, cloud accounts, and the next set of packages. On June 1, Wiz flagged the compromise of Red Hat's @redhat-cloud-services namespace; within days, researchers were tracking hundreds of malicious package versions across overlapping campaigns.
The uncomfortable part: nobody had to be careless. Pulling a trusted, widely used package was enough.
📉 The Numbers
- 500+ — npm packages compromised across the ongoing Shai-Hulud campaign.
- 32 / 96 — Red Hat
@redhat-cloud-servicespackages and versions found with unauthorized modifications on June 1. - 116,000+ — weekly downloads of those Red Hat packages alone.
- 7 — credential platforms the payload harvests: npm, GitHub, AWS, GCP, Azure, Vault, and Kubernetes.
- June 1 — start of the new, self-replicating wave that spread into PyPI.
🔍 Three Things That Make This One Different
1. It's a true worm.
Classic supply-chain attacks need a human to keep planting payloads. Shai-Hulud automates the whole loop — steal, enumerate, republish, repeat — so the blast radius grows on its own. One compromised maintainer can seed dozens of downstream packages before anyone notices.
2. The prize is credentials, not just code.
This isn't about defacing a library. The worm is built to vacuum up the tokens and keys that move laterally — into your cloud, your secrets manager, your other repos. A single infected install can hand an attacker the keys to your entire build and deploy chain.
3. It rides trust you can't easily revoke.
The packages hit weren't obscure. Red Hat's namespace and TanStack's libraries are exactly the dependencies teams pull without a second thought. When the malicious version ships from a name you already trust, "only install reputable packages" stops being advice.
🛡️ What This Means for Your Access Layer
Pin and verify every dependency.
Lockfiles with integrity hashes, pinned versions, and a delay before adopting brand-new releases all shrink the window where a poisoned update slips into your build. Don't let CI silently pull "latest."
Make CI/CD secrets short-lived and scoped.
The worm spreads because pipeline credentials are long-lived, broadly scoped, and reusable. Short-lived, narrowly scoped, OIDC-based tokens that expire in minutes break the chain — a stolen secret that's already dead can't republish anything.
Lock maintainer and registry accounts behind phishing-resistant auth.
Every hop in this worm is an account takeover. Hardware-bound passkeys and security keys on npm, GitHub, and cloud accounts mean a stolen token alone isn't enough to log in and publish. This is the single control that most directly stops propagation.
Watch for unexpected publishes.
Alert on new package versions, new maintainers, and publishes outside normal hours. The worm's tell is a flurry of releases from accounts that don't usually ship — catch that and you catch the spread.
🔑 The Bottom Line
Shai-Hulud is what happens when an attacker stops stealing data and starts stealing access. The code is just the delivery mechanism; the credentials are the point. Your software supply chain is now an identity problem — every package you install is a potential login to everything that package's maintainer can reach, and now, to everything you can reach.
💡 Unlocked Tip of the Week
Ask your team one question this week: "If a dependency we installed yesterday had stolen our CI token, what could it have published in our name?" If the answer is "anything, and the token's still valid," you've found your exposure. Rotate to short-lived, scoped credentials before the next wave, not after.
🔥 Final Takeaway
For years we told developers the danger was careless code. The danger now is trusted code that turns on you the moment it's installed.
500 packages. Seven credential systems. A worm that spreads itself faster than any human attacker could. None of it required tricking a single person — just one stolen token and a dependency tree to climb.
The teams that come through this in better shape won't be the ones who audited the most packages. They'll be the ones who made a stolen credential worthless — phishing-resistant, hardware-bound logins on every maintainer and pipeline account, and secrets short-lived enough to die before the worm can use them. The code can lie. The key in your pocket can't be copied.
The worm is still spreading. The question is whether your credentials are worth stealing.
Stay ready. Stay resilient.
Until next time,
← Last Week: Your Voice Is Not a Password: The Deepfake Assault on Biometrics
