VerifiVerifi Security
Back to blog
Threat Intelligence

Mini Shai-Hulud: The Self-Replicating npm Worm That Should Change How You Think About Dependencies

Verifi Research Labs· 20 May 2026· 7 min read

If you follow npm security, you already know the Shai-Hulud name. If you do not, here is the short version: since September 2025, a financially motivated threat group known as TeamPCP has run a series of increasingly sophisticated self-propagating worm campaigns against the npm ecosystem, each one named after the sandworms from Frank Herbert's Dune. The latest variant, Mini Shai-Hulud, is active now. It targets SAP packages, TanStack libraries and agentic AI tools, and it is the fourth campaign in the series.

This is not a theoretical risk. It is a running incident.

The Lineage

The original Shai-Hulud campaign launched in September 2025 with the compromise of @ctrl/tinycolor and approximately 40 downstream packages. Within a week it had spread to over 500 npm packages, including packages published by CrowdStrike. CISA issued a public alert on 23 September 2025. Researchers at StepSecurity observed more than a thousand valid GitHub tokens, multiple sets of cloud credentials and npm tokens, and around twenty thousand files exfiltrated across the campaign.

The November 2025 variant, Shai-Hulud 2.0, documented by Datadog's Security Labs, introduced a dead man's switch mechanism. The December re-emergence followed an incomplete cleanup by the ecosystem.

Mini Shai-Hulud is the May 2026 evolution. Same threat group, same core technique, new target surface.

How It Works

The attack mechanism is consistent across Shai-Hulud variants and is worth understanding in detail, because it exploits patterns that are endemic to how modern development teams work.

Initial access via credential theft. The worm uses a bundled copy of TruffleHog, a legitimate open-source secret scanner, to sweep the host environment for tokens. It looks for GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and similar credentials. These are commonly present in developer environments and CI/CD build agents by design.

Package injection. Once it has a valid npm token, the worm downloads the target package, unpacks the tarball, replaces or creates the package's bundle.js with its own malicious version, and re-publishes. It adds a postinstall script to package.json so the payload executes automatically during npm install on any machine that subsequently pulls the infected version.

CI/CD persistence. If the worm finds a GitHub personal access token with write access, it authenticates to the GitHub API, enumerates accessible repositories, and injects a malicious GitHub Actions workflow into .github/workflows/. This workflow persists independently of the initial host. Every future CI run can trigger a new exfiltration cycle from within the pipeline, where secrets and artefacts are available by design.

Cross-ecosystem propagation. Mini Shai-Hulud extends this to PyPI. If the worm discovers PyPI credentials, it applies the same self-propagation logic to Python packages. One compromised developer environment can seed multiple registries.

Repository hijacking. With stolen GitHub tokens, the campaign has cloned private repositories to attacker-controlled accounts, created new branches, deployed malicious workflows and, in several documented cases, made private repositories public, exposing full commit history.

Palo Alto Networks' Unit 42 assessed with moderate confidence that the malicious scripts show signs of AI-assisted generation, a pattern also observed in the related s1ngularity campaign that preceded Shai-Hulud.

What Mini Shai-Hulud Is Targeting

The September 2025 campaign targeted general-purpose JavaScript infrastructure: colour utilities, Angular packages, broadly used libraries. Mini Shai-Hulud shifts to higher-value targets.

SAP ecosystem packages represent access to enterprise back-office systems. TanStack libraries are embedded in a significant proportion of modern React applications. Agentic AI tooling, including packages like LiteLLM that sit between application code and LLM APIs, represents a newer but rapidly growing attack surface where a compromised package could intercept API keys, model outputs and sensitive prompts.

The security tooling ecosystem has not been spared. The campaign has compromised packages associated with Trivy, Aqua Security and Checkmarx, tools that organisations rely on for supply chain defence. Compromising the defenders' tooling is a deliberate escalation.

The Structural Problem This Exposes

The Shai-Hulud series illustrates something that the security industry has been slow to confront: the combination of self-propagation and CI/CD persistence means that the window between a package being infected and the infection spreading across an estate is measured in hours, not days.

Traditional vulnerability management assumes a relatively static threat. A CVE is published, scanners pick it up, teams triage and patch. The timelines are slow, but the threat is also slow. A self-propagating worm that spreads via postinstall hooks and injects itself into CI/CD pipelines is not slow. By the time your scanner has filed a ticket, the worm may already have credentials from three build agents and published a new infected version upstream.

This is a time problem. The attack surface is your entire dependency graph. The blast radius expands automatically. The only meaningful response metric is how fast you can contain it.

Immediate Mitigations

The community recommendations from CISA, Socket.dev, GitLab and others are consistent:

Pin dependency versions in package-lock.json and yarn.lock to releases predating the campaign. Immediately rotate all developer credentials, especially npm tokens, GitHub personal access tokens and cloud provider keys. Enforce phishing-resistant MFA on all accounts with registry publish permissions. Audit CI/CD pipelines for unauthorised workflow files in .github/workflows/. Block outbound connections to webhook.site domains, which the campaign uses for exfiltration. Enable GitHub Secret Scanning and Dependabot on all repositories.

These are the right steps. But they are manual, and at enterprise scale, executing them across hundreds of repositories in hours rather than days requires orchestration that most teams do not have.

Where Orchestration Changes the Outcome

The detection signal for Mini Shai-Hulud exists. Socket.dev has it. Your SCA scanner will flag the affected packages. The CISA alert is public.

The bottleneck is not detection. It is the time it takes to turn detection into containment and remediation across your full estate.

Verifi is built for exactly this situation. When a package is flagged, Verifi immediately maps which repositories are consuming it, which teams own those repositories, and what the remediation looks like. It creates the pull requests, routes them to the right owners, tracks completion and verifies the fix across every affected codebase. It prevents the same package from being re-introduced in the next sprint.

The Shai-Hulud campaigns have now run for eight months. They are not stopping. The organisations that come out of this in a better position will be the ones that treated the first incident as a forcing function to build automated, orchestrated dependency hygiene into their workflows, not the ones that manually triaged the same finding across two hundred repositories.

Time to contain is the metric that matters now. Everything else is noise.

Related
More from the blog
Opinion

Adversaries Are Publishing at Scale. Speed Is Now the Only Defence.

Opinion

H2 2026: Packages Are the New Phishing Email, and Your Secrets Are the Target