Security researchers say a new Shai-Hulud-related npm campaign is actively stealing developer secrets and spreading through the open-source ecosystem, with OpenAI, Akamai and others confirming related compromise activity.
A new Shai-Hulud-related campaign is targeting the npm ecosystem and stealing developer secrets, according to multiple security reports and vendor statements.
BleepingComputer reported that malicious npm packages tied to the campaign are collecting credentials, tokens, wallet data and other account information from developers. The report follows earlier disclosures about a Mini Shai-Hulud supply-chain attack that affected the TanStack dependency tree and then spread to additional packages.
OpenAI said on May 13 that it identified a security issue involving the TanStack npm library and described it as part of the broader Mini Shai-Hulud attack. Akamai later said a new wave of the campaign appeared on May 11 and expanded beyond TanStack to other packages.
SecurityWeek reported that more than 170 packages were compromised in the Mini Shai-Hulud campaign, while CyberScoop described the activity as a sprawling open-source supply-chain attack linked by researchers to self-propagating malware.
The latest reporting suggests the campaign is still active and that the immediate risk for developers is credential theft through compromised packages. Open questions remain around the final package count, the full scope of affected maintainers and whether the leaked malware build is distinct from the earlier Mini Shai-Hulud variant.
What to watch
Security teams and package maintainers are likely to keep updating detection guidance, incident scope and mitigation steps as the campaign evolves. Additional vendor statements could further clarify attribution and the spread across npm and related ecosystems.
Revision note
Initial automated publication.