Mini Shai-Hulud Worm Hits npm Again, Compromising 314 Packages

A second wave of the self-propagating Shai-Hulud worm has torn through the npm registry, infecting 314 packages in a coordinated supply-chain attack. The malware spreads by harvesting credentials from compromised maintainer environments and using them to publish trojanized versions of additional packages those maintainers control, creating a chain reaction across the ecosystem.

This variant, dubbed ‘Mini Shai-Hulud,’ is a leaner follow-up to the original campaign that rattled the JavaScript ecosystem earlier. It continues the pattern of weaponizing maintainer tokens and CI secrets to escalate reach without needing fresh initial access for each target, exploiting npm’s transitive trust model.

The incident reinforces how brittle the npm publishing pipeline remains against credential theft and how quickly a single compromised maintainer can cascade into hundreds of downstream packages. Defenders are being urged to audit dependencies, rotate tokens, and enforce 2FA and provenance attestations on publish workflows.