Open-Source Supply Chain Attack Sweeps npm, PyPI, Docker in 48 Hours

On May 11, 2026, a self-replicating worm called Mini Shai-Hulud slipped quietly into 42 widely used TanStack open-source packages, corrupting 84 npm artifacts before anyone noticed. Within hours, the malware had spread through build pipelines at OpenAI, Mistral AI, and UiPath, as MSN reported on May 16. By the time security teams understood what they were looking at, the attack surface had already expanded across two package registries and into the internal networks of three of the most visible AI companies on the planet. The worm was not especially novel in its techniques. What distinguished it was the velocity of its propagation and the fact that it arrived bearing valid cryptographic signatures, clearing every automated trust check the ecosystem had put in place.

Three days later, the situation compounded. On May 19, attackers uploaded poisoned packages to npm, PyPI, and Docker Hub within a span of roughly 48 hours, MSN reported. All three campaigns targeted the same class of asset: developer cloud credentials and SSH keys. The coordination was not a coincidence. Three separate registries, three separate attack vectors, one objective: exfiltrate the secrets that let an attacker move laterally from a developer's laptop into production infrastructure. Researchers at several firms noted the temporal clustering as evidence of a deliberate campaign rather than opportunistic copycatting.

The attribution picture sharpened quickly. BleepingComputer reported on May 12 that the Shai-Hulud campaign had compromised hundreds of packages across npm and PyPI, delivering credential-stealing malware that specifically targeted developers. The attacker had hijacked valid OpenID Connect tokens to publish signed packages, a technique that allowed the malicious artifacts to pass Sigstore provenance verification without triggering alarm. Bill Toulas, writing for BleepingComputer, noted that the attacker "hijacked valid OpenID Connect tokens," turning the ecosystem's strongest authenticity guarantee into a liability.

Hundreds of packages across npm and PyPI have been compromised in a new Shai-Hulud supply-chain campaign delivering credential-stealing malware targeting developers., BleepingComputer, May 12, 2026

The worm's reach extended well beyond the initial TanStack vector. By May 12, CSOonline had tallied 170 compromised packages spanning both npm and PyPI. Forcepoint's X-Labs research team published findings on May 18 documenting how the same threat actor, TeamPCP, had turned the widely used LiteLLM Python library into a credential stealer, SiliconANGLE reported. LiteLLM functions as a unified interface to over 100 large language model APIs, meaning developers who integrated it were handling API keys for OpenAI, Anthropic, Google Cloud, AWS, and Microsoft Azure, all of which became extraction targets once the poisoned package was installed.

Then, on May 20, the scope of the compromise took a turn that few in the industry had prepared for. BleepingComputer reported that GitHub had confirmed a breach of roughly 3,800 internal repositories. The entry point was not a zero-day in GitHub's infrastructure. It was a single employee who installed a poisoned version of the Nx Console Visual Studio Code extension, a tool compromised during the TanStack supply-chain attack the week prior. The extension acted as a loader, pulling down second-stage malware that gave TeamPCP persistent access to GitHub's internal code repositories.

SiliconANGLE confirmed the details on May 20, writing that "hackers exfiltrated roughly 3,800 of GitHub Inc.'s internal code repositories after one of its employees installed a poisoned Visual Studio Code extension, the Microsoft Corp.-owned developer platform confirmed." The language is precise: an employee installed an extension. One browser tab, one click on "Install," and a criminal group was inside the house of the world's largest code host. The breach did not require lateral movement through a complex network. The developer's own authenticated session was the network.

Within days, TeamPCP had listed the stolen repositories for auction on a dark-web forum at a minimum price of $50,000, MSN reported on May 27. The auction was not merely extortion. It signaled that the attackers believed the exfiltrated code had independent market value, likely to other threat actors interested in finding additional vulnerabilities in GitHub's own infrastructure or in the tools GitHub builds.

The provenance paradox: when signed packages lie

One of the most destabilizing revelations of the May 2026 attacks concerned Sigstore, the open-source project that npm and PyPI had adopted to give developers cryptographic assurance that a package came from the source it claimed to come from. On May 19, the same day the three-registry blitz peaked, 633 malicious npm package versions successfully passed Sigstore provenance verification. VentureBeat reported that they were cleared because the attacker had generated valid signing certificates from compromised OpenID Connect identities. The signing keys were real. The identity was not. The system had worked exactly as designed, and exactly as designed, it had failed.

This is the provenance paradox in its clearest form. Provenance tells a consumer that a package was published by a specific identity at a specific time from a specific source repository. It does not, and cannot, tell the consumer whether that identity was itself compromised. If an attacker steals a maintainer's GitHub credentials, generates a valid OIDC token, and publishes a signed package through the maintainer's own CI pipeline, the signature is indistinguishable from a legitimate release. The security community had spent years building a system that answered the question "who published this?" while the attackers had moved on to the question "can I become the who?"

The Shai-Hulud attacks exploited this gap methodically. The worm did not need to bypass Sigstore. It used Sigstore. Each poisoned package carried a valid attestation, which meant downstream automated scanners, policy engines, and even manual reviewers saw the green checkmark and moved on. The attack inverted the trust model: the stronger the provenance guarantee looked, the more effectively it concealed the intrusion.

What the registries did next

GitHub responded on May 22, shipping staged publishing as a generally available feature for all npm packages, TechTimes reported on May 26. The feature inserts a mandatory two-factor authentication checkpoint between the moment a package is published and the moment it becomes available for installation. Even if an attacker obtains valid publishing credentials, a human must approve the publication through a second factor before the package is served to consumers. It is an air gap implemented in process rather than in cryptography.

Shortly after, on June 13, npm v12 was announced with a broader security overhaul, TechTimes reported, blocking install scripts, Git dependencies, and remote URL sources by default. The change, scheduled to take effect in July 2026, targets a vector that the Shai-Hulud worm had exploited heavily: the ability of a package's post-install script to execute arbitrary code on a developer's machine the moment npm install completes. Every team running npm install in CI will need to migrate their workflows. The deadline is tight. The alternative is staying on a default configuration that the industry now knows to be actively dangerous.

The attacks did not stop while the registries recalibrated. On June 1, a separate campaign named Miasma compromised 32 official packages under Red Hat's @redhat-cloud-services namespace, TechTimes reported on June 5. Fifty-seven additional packages followed. The Miasma worm injected a self-propagating credential-stealing payload that spread through the same pipeline-hijacking techniques TeamPCP had refined. Signed attestations, once again, could not block the attack because the attacker was publishing through the legitimate maintainer's own infrastructure.

By late May, the AntV data visualization library, a charting toolkit used in countless enterprise dashboards, became the latest high-profile target, InfoWorld reported on May 19. The attackers had by then refined their method to the point where a new wave could be launched within hours of a previous wave being detected and delisted. The registries were playing whack-a-mole against an opponent that could publish faster than they could remove.

On June 8, cloud security firm Minimus announced the general availability of two new capabilities: Minimus Supply Chain Protection, a proxy that sits between developer environments and public registries, and minicli, a command-line tool for managing container images as code. Computerworld reported that the tools introduce "a unified approach to managing third-party software risks and container image configurations." The proxy model is notable because it shifts the security checkpoint from the registry to the consumer: rather than trusting that a package is safe because the registry says it is, the consumer's own infrastructure inspects, attests, and gates every dependency before it reaches a build environment. It is an acknowledgement that registry-side trust has been broken and may take years to rebuild.

The two new capabilities are designed to help enterprise engineering teams secure open-source software dependencies and manage custom container architectures through automated, code-based workflows., TechCrunch, reporting on the Minimus launch, June 9, 2026

Minimus is not the only vendor pivoting toward consumer-side enforcement, but its timing is instructive. The product launch came less than a month after the GitHub breach and three weeks after the three-registry blitz. The industry's response cycle is compressing, from months of post-mortem analysis to weeks of product shipping. Whether the tools arrive fast enough to matter is a separate question.

What the systemic version of these failures reveals is not that any single registry is insecure. It is that the architecture of trust in open-source package management was built for a threat model in which attackers submit malicious packages under new, throwaway identities. That threat model is obsolete. TeamPCP demonstrated that an attacker who compromises a single maintainer account, or a single developer's IDE extension, can publish malicious updates that are cryptographically indistinguishable from legitimate ones, propagate them automatically through dependency trees, and reach production environments within hours. The registries were not designed to detect an attacker who looks exactly like the maintainer.

Residual risk remains high in several areas. Container base images, which were among the three registry targets in the May 19 blitz, have received less regulatory attention than npm and PyPI, despite being foundational to most cloud deployments. The Docker Hub attack demonstrated that poisoned base images can introduce compromise at a layer below the application, invisible to most application-security tooling. And the GitHub breach demonstrated that the blast radius of a supply-chain attack now routinely includes the tools used to build and distribute software, not just the software itself. An attacker who compromises a code host compromises every project hosted on it.

The next checkpoint to watch for is July 2026, when npm v12's install-script block becomes the default. Migration will be chaotic, and attackers will almost certainly test the new boundary within the first 72 hours. The question is not whether they will find gaps, but whether the gaps they find will be narrow enough to contain. The industry spent the first half of 2026 learning that trust signals can be counterfeited. The second half will determine whether anyone can build a signal that cannot.