npm Supply Chain Worm Campaigns Escalate: Shai-Hulud Variants Target Developer Credentials and CI/CD Pipelines
Since September 2025, the npm ecosystem has experienced systematic supply chain attacks featuring self-replicating malware that steals credentials and embeds into CI/CD infrastructure; June 2026 saw 32 compromised Red Hat packages via GitHub account takeover.
Attack Brief
Targetnpm package registry; developer tooling (Bitwarden CLI, TanStack, Checkmarx, Red Hat Cloud Services); CI/CD pipelinesVectorCompromised npm package publication; GitHub account takeover; CI/CD pipeline exploitation; typosquatting; credential theft and automated package republicationAttributionTeamPCP; unattributed copycat activity following May 12, 2026 source code release
Technical Details
IoCs@bitwarden/cli version 2026.4.0@redhat-cloud-services npm namespace (32 packages)Miasma payloadMini Shai-Hulud malwareShai-Hulud wormindex.js obfuscated payload (4.29 MB, 25x size increase from ~200 KB baseline)Affectednpm packages across @redhat-cloud-services namespace; Bitwarden CLI; TanStack GitHub Actions; Checkmarx distribution channels (Docker Hub, GitHub Actions, VS Code extensions); PyPI ecosystem (May 11 attack)
Impact
Affected OrganisationsRed Hat; Bitwarden; TanStack; Checkmarx; unattributed developers installing malicious packagesSectorsSoftware DevelopmentCloud ServicesDevOps/CI-CDConfirmed DamageCredential theft (GitHub tokens, npm tokens, SSH keys, AWS/GCP/Azure credentials, Kubernetes service-account tokens, HashiCorp Vault secrets, CI/CD platform secrets); automated malicious package republication; infrastructure-level persistence in CI/CD pipelines; ~80,000 weekly downloads of compromised Red Hat packages
Mitigation
PatchesRotate all GitHub Personal Access Tokens (PATs)Rotate npm tokensRotate AWS, GCP, Azure credentials and cloud identitiesRotate Kubernetes service-account tokens and HashiCorp Vault secretsRotate CI/CD platform secrets (GitHub Actions, CircleCI)WorkaroundsPurge malicious dependencies from local and cloud-based package caches; implement code review enforcement in CI/CD pipelines; monitor for 25x file size increases in index.js as detection signal; segment CI/CD infrastructure access; enforce SLSA provenance verification with additional integrity checks beyond certificate validityDetectionMonitor for obfuscated payload signatures; track npm package size anomalies (index.js >1 MB); hunt for credential-stealing patterns in package installation logs; correlate GitHub Actions OIDC token requests with package publication events; scan for Miasma payload markers and 'Shai-Hulud: The Third Coming' strings in repositories
Context
Previous CampaignsShai-Hulud worm (September 2025, watershed incident); Shai-Hulud 2.0 / 'The Third Coming' (April 22, 2026); Mini Shai-Hulud (April 29, 2026); Axios compromise (March 2026, npm token theft); Chalk/Debug compromises; TanStack GitHub Actions compromise (May 11, 2026)Similar AttacksMulti-stage payload deployment with dormant 'sleeper' dependencies; infrastructure-level persistence via CI/CD pipeline embedding; wormable propagation via stolen developer credentials