\u2018Mini Shai-Hulud\u2019 malware compromises hundreds of open-source packages in sprawling supply-chain attack | CyberScoop<\/title> <meta name=\"description\" content=\"A sprawling supply-chain attack dubbed "Mini Shai-Hulud" has compromised hundreds of open-source packages, including TanStack and MistralAI. By hijacking automated CI\/CD pipelines and spoofing digital signatures, the TeamPCP-linked malware successfully bypassed 2FA to steal cloud credentials and extort developers across major registries.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/mini-shai-hulud-supply-chain-malware-attack\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"\u2018Mini Shai-Hulud\u2019 malware compromises hundreds of open-source packages in sprawling supply-chain attack\"> <meta property=\"og:description\" content=\"A sprawling supply-chain attack dubbed "Mini Shai-Hulud" has compromised hundreds of open-source packages, including TanStack and MistralAI. By hijacking automated CI\/CD pipelines and spoofing digital signatures, the TeamPCP-linked malware successfully bypassed 2FA to steal cloud credentials and extort developers across major registries.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/mini-shai-hulud-supply-chain-malware-attack\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-05-12T21:38:44+00:00\"> <meta property=\"article:modified_time\" content=\"2026-05-12T21:38:47+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/mini-shai-hulud-malware-compromises-hundreds-of-open-source-packages-in-sprawling-supply-chain-attack-2.jpg\"> <meta property=\"og:image:width\" content=\"2015\"> <meta property=\"og:image:height\" content=\"1488\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@gregotto\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1778262878g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1778005960g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1775068334g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/88980\"><meta name=\"generator\" content=\"WordPress 6.8.5\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=88980\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmini-shai-hulud-supply-chain-malware-attack%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmini-shai-hulud-supply-chain-malware-attack%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-88980 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/mini-shai-hulud-supply-chain-malware-attack\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.08085106383\">\n<div class=\"single-article__header-content\" readability=\"35.698901098901\">\n<p> The campaign hit major registries and hid behind legitimate-looking release signatures, showing how attackers can weaponize the software update process itself. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/88980\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"473\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/mini-shai-hulud-malware-compromises-hundreds-of-open-source-packages-in-sprawling-supply-chain-attack.jpg?resize=640%2C473&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/mini-shai-hulud-malware-compromises-hundreds-of-open-source-packages-in-sprawling-supply-chain-attack-2.jpg 2015w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/mini-shai-hulud-malware-compromises-hundreds-of-open-source-packages-in-sprawling-supply-chain-attack-2.jpg?resize=300,222 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/mini-shai-hulud-malware-compromises-hundreds-of-open-source-packages-in-sprawling-supply-chain-attack-2.jpg?resize=768,567 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/mini-shai-hulud-malware-compromises-hundreds-of-open-source-packages-in-sprawling-supply-chain-attack-2.jpg?resize=1024,756 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/mini-shai-hulud-malware-compromises-hundreds-of-open-source-packages-in-sprawling-supply-chain-attack-2.jpg?resize=1536,1134 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/mini-shai-hulud-malware-compromises-hundreds-of-open-source-packages-in-sprawling-supply-chain-attack-2.jpg?resize=600,443 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/mini-shai-hulud-malware-compromises-hundreds-of-open-source-packages-in-sprawling-supply-chain-attack-2.jpg?resize=228,168 228w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/mini-shai-hulud-malware-compromises-hundreds-of-open-source-packages-in-sprawling-supply-chain-attack-2.jpg?resize=456,337 456w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/mini-shai-hulud-malware-compromises-hundreds-of-open-source-packages-in-sprawling-supply-chain-attack-2.jpg?resize=914,675 914w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/mini-shai-hulud-malware-compromises-hundreds-of-open-source-packages-in-sprawling-supply-chain-attack-2.jpg?resize=1142,843 1142w\" sizes=\"(max-width: 914px) 100vw, 914px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"73.855310647074\"><body readability=\"149.91900617631\"><\/p>\n<p>A rapidly spreading malware campaign has infected hundreds of software packages across major open-source registries, embedding credential-stealing code into development tools downloaded millions of times a week.<\/p>\n<p>The attack, referred to as \u201cmini Shai-Hulud,\u201d targeted prominent software libraries, including TanStack, UiPath, and MistralAI. TanStack\u2019s React Router package alone accounts for more than 12 million weekly downloads, placing the malicious code deep within the software supply chain of modern enterprise applications.<\/p>\n<p><a href=\"https:\/\/tanstack.com\/blog\/npm-supply-chain-compromise-postmortem\">In a blog post<\/a>, Tanstack said security teams have pulled all compromised software versions from the registry. While there is no evidence that registry passwords were stolen, experts urge anyone who downloaded the affected tools Monday to immediately change all connected cloud, server, and developer credentials \u2014 including Amazon Web Services, Google Cloud, and GitHub.<\/p>\n<p>The incident highlights a systemic vulnerability in automated software publishing. The compromised updates successfully bypassed two-factor authentication and carried cryptographically valid provenance signatures. These signatures verified that the packages originated from the correct continuous integration pipelines, but failed to detect that the pipelines themselves had been manipulated to authorize malicious code.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Security researchers attribute the campaign to TeamPCP, a cloud-focused cybercriminal group that emerged in late 2025 that specializes in automating supply-chain attacks and exploiting cloud-native infrastructure, including Docker and Kubernetes environments. The group, alleged to be responsible <a href=\"https:\/\/cyberscoop.com\/supply-chain-attack-shai-hulud-npm\/\">for earlier development of Shai Hulud<\/a>, quietly slips their malware into trusted software updates, allowing them to infect thousands of companies at once without triggering security alarms. <\/p>\n<p>The group is notorious for its advanced ability to hide its tracks \u2014 such as disguising stolen data as anonymous messaging traffic \u2014 and its aggressive extortion tactics, which include threatening to completely erase victims\u2019 computers if they attempt to remove the hackers\u2019 access.<\/p>\n<p>Attackers triggered the automated release process using an \u201corphaned commit\u201d \u2014 code pushed to a repository fork without a corresponding branch. This allowed them to exploit overly broad permissions in GitHub Actions workflows. The malware was then delivered via a concealed dependency that fetched a heavily obfuscated 2.3-megabyte payload disguised as an initialization module.<\/p>\n<p>Upon execution, the malware uses Bun \u2014 a high-speed software engine designed to run JavaScript \u2014 to systematically steal security keys and passwords. It targets high-level cloud infrastructure, including AWS, Google Cloud Platform, Kubernetes, and HashiCorp Vault. The code is engineered to infiltrate highly secure Amazon cloud networks. At the same time, it scours the developer\u2019s local computer for secret files and SSH keys used to unlock other corporate systems.<\/p>\n<p>Operating as a self-propagating worm, it publishes copies of itself to those projects, spoofing its activity to appear as automated commits from the Anthropic Claude bot. In a secondary extortion measure, the malware generates a new registry token containing a ransom note in its description, threatening a destructive computer wipe if the victim attempts to revoke the compromised access.<\/p>\n<p>Despite the malware\u2019s properties, researchers told CyberScoop they have not seen it spread. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cWe saw very limited community spread,\u201d said Charlie Eriksen, a security researcher with application security firm Aikido Security.<\/p>\n<p>To maintain continuous access to developer workstations, the malware embeds itself into the configuration files of popular developer tools, notably Visual Studio Code and Anthropic\u2019s Claude Code. This ensures the malicious scripts execute automatically every time a developer opens a project or initiates an AI coding session.<\/p>\n<p>Stephen Thoemmes, senior developer advocate at Snyk, told CyberScoop this is a particular blind spot for these types of attacks. <\/p>\n<p>\u201cDirectories like .claude\/ and .vscode\/ are typically excluded from version control via .gitignore and are rarely scrutinized as viable attack surfaces,\u201d Thoemmes said. \u201cWhile these hook and task systems provide valuable automation for legitimate work, they offer a silent execution environment for malicious code. To counter this, developers must move away from treating these local configurations as benign and begin applying the same rigorous security auditing to their tooling directories as they would to their production infrastructure.\u201d<\/p>\n<p>To avoid detection, the stolen data is exfiltrated using Session \u2014 an anonymous messaging app that bounces data across a decentralized network. By disguising the theft as ordinary, encrypted chat traffic, the hackers blend in with normal network activity. This allows the attackers to completely ditch the traditional \u201ccommand\u201d servers that corporate security teams usually hunt for and block.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The success of the \u201cMini Shai-Hulud\u201d campaign exposes a major blind spot in software security: Current defenses check where an update comes from, but not if the code inside is actually safe. By hijacking the developers\u2019 own automated systems, attackers were able to stamp their malware with official digital signatures \u2014 proving that attackers can bypass modern safeguards simply by turning a company\u2019s own tools against them.<\/p>\n<p>Socket CEO Feross Aboukhadijeh told CyberScoop that organizations should look for signs that a compromised package version was installed in CI\/CD or developer environments, unexpected outbound connections to campaign infrastructure, suspicious changes in package lockfiles, unusual package publishes from their own maintainers or CI systems, and persistence artifacts in developer tooling directories. <\/p>\n<p>\u201cThere is no single centralized kill switch for this kind of campaign,\u201d Aboukhadjieh said. \u201cThe hard part is that by the time a malicious package is confirmed, it may already have been installed inside the exact environments attackers want most: developer machines and CI runners. You can pull a package from the registry, but you cannot automatically pull back the credentials it may have already stolen.\u201d<\/p>\n<p>While these packages are maintained by volunteers, Eriksen said the incident is a huge issue for enterprises due to how many development teams use the software in their products and services. <\/p>\n<p>\u201cThis is not a \u2018volunteer\u2019 vs corporate thing,\u201d Eriksen told CyberScoop. \u201cThis is an all-of-society problem.\u201d<\/p>\n<p>Aboukhadjieh told CyberScoop that these continuing attacks on popular open-source software packages is part of \u201ca larger reckoning over how the software industry consumes open source.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThis campaign shows how thin the line has become between a developer tool and critical infrastructure,\u201d he said. \u201cWhen attackers compromise tools that are already trusted inside build systems, they do not have to break into every company directly. They can ride the trust those tools already have.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.6611374407583\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/mini-shai-hulud-malware-compromises-hundreds-of-open-source-packages-in-sprawling-supply-chain-attack-1.jpg?w=640&ssl=1\" alt=\"Greg Otto\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Greg Otto<\/h4>\n<p> Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/mini-shai-hulud-supply-chain-malware-attack\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u2018Mini Shai-Hulud\u2019 malware compromises hundreds of open-source packages in sprawling<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[235,3548,384,5419,78,6597,3875,3288,6598,6599,3876,1813,288],"tags":[236,3561,388,5429,86,6600,3877,3290,6601,6602,3878,1814,294],"class_list":["post-8632","post","type-post","status-publish","format-standard","hentry","category-ai","category-aikido-security","category-artificial-intelligence-ai","category-ci-cd","category-cybersecurity","category-mini-shai-hulud","category-npm","category-open-source-software","category-shai-hulud","category-snyk","category-socket","category-supply-chain","category-threats","tag-ai","tag-aikido-security","tag-artificial-intelligence-ai","tag-ci-cd","tag-cybersecurity","tag-mini-shai-hulud","tag-npm","tag-open-source-software","tag-shai-hulud","tag-snyk","tag-socket","tag-supply-chain","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ai\/\" rel=\"category tag\">AI<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/aikido-security\/\" rel=\"category tag\">Aikido Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/artificial-intelligence-ai\/\" rel=\"category tag\">artificial intelligence (AI)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ci-cd\/\" rel=\"category tag\">CI\/CD<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/mini-shai-hulud\/\" rel=\"category tag\">mini shai hulud<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/npm\/\" rel=\"category tag\">npm<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/open-source-software\/\" rel=\"category tag\">open source software<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/shai-hulud\/\" rel=\"category tag\">Shai Hulud<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/snyk\/\" rel=\"category tag\">snyk<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/socket\/\" rel=\"category tag\">Socket<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/supply-chain\/\" rel=\"category tag\">supply chain<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8632"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8632\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8632,"date":"2026-05-12T16:38:44","date_gmt":"2026-05-12T21:38:44","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=88980"},"modified":"2026-05-12T16:38:44","modified_gmt":"2026-05-12T21:38:44","slug":"mini-shai-hulud-malware-compromises-hundreds-of-open-source-packages-in-sprawling-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/05\/12\/mini-shai-hulud-malware-compromises-hundreds-of-open-source-packages-in-sprawling-supply-chain-attack\/","title":{"rendered":"\u2018Mini Shai-Hulud\u2019 malware compromises hundreds of open-source packages in sprawling supply-chain attack"},"content":{"rendered":"