Supply-Chain Worm Poisons 160 Packages Across npm, PyPI, Docker Hub in 48 Hours
A self-replicating supply-chain worm infected 160 packages, stole credentials from OpenAI and Mistral builds, and triggered a month of emergency registry overhauls.
techcrunch.com
On May 11, 2026, a self-replicating worm called Mini Shai-Hulud quietly slipped into 42 widely used TanStack open-source packages on the npm registry, corrupting 84 artifacts before anyone noticed. Within hours, according to MSN reporting, the malware had spread through build pipelines at OpenAI, Mistral AI, and UiPath, ultimately poisoning 160 packages across both npm and PyPI. This was not a test. It was the opening salvo of a five-week campaign that would force GitHub, Red Hat, and every major software registry to rewrite their security assumptions.
The TanStack intrusion was the most consequential single supply-chain compromise of 2026 to date, but it was only the first of several. Within 10 days, three separate attacks would hit npm, PyPI, and Docker Hub within a span of roughly 48 hours, each targeting the same prize: developer cloud credentials and SSH keys. By mid-June, the attack surface had expanded to include the Arch User Repository and Microsoft's own code repositories, making the spring of 2026 the most concentrated period of registry-level supply-chain attacks ever recorded.
The worm was named after the sandworms of Frank Herbert's Dune, a nod to its self-propagating design. According to BleepingComputer, which first reported OpenAI's confirmation of the breach on May 14, the malware exfiltrated credential material from internal code repositories after compromising two employee devices. OpenAI rotated its code-signing certificates as a precaution and said no customer data was affected. The company's disclosure was terse: a security notice confirming the breach, the rotation, and little else. It did not name the two employees, specify which repositories were accessed, or explain how the poisoned packages reached developer workstations in the first place.
The attack vector was classic supply-chain tradecraft with one important escalation. The Mini Shai-Hulud worm did not merely sit inside a compromised package waiting for a developer to run npm install. It used the package's post-install scripts to extract environment variables, SSH keys, and cloud credentials from the host machine, then rewrote its own manifest to spread to other packages the developer had publish access to. It was a worm that used the registry as its propagation medium, and it worked because the npm trust model, at that moment, had no checkpoint between a publish action and the package becoming available to millions of downstream consumers.
The disclosure timeline is instructive. The worm entered npm on May 11. On May 14, OpenAI confirmed its breach. On May 16, MSN reported the total had reached 160 packages and named Mistral AI and UiPath as additional victims. On May 19, cybersecurity firms StepSecurity and SafeDep warned of a new wave, and TechCrunch reported that hackers had compromised dozens of popular open-source packages in what it described as an ongoing attack. That same day, BleepingComputer reported that more than 600 malicious packages had been published to npm in a fresh Shai-Hulud campaign.
The second wave, the one documented by StepSecurity and SafeDep, hit all three major registries within 48 hours around the last week of May. The attackers used different entry points in each case but targeted the same data: cloud credentials and SSH keys stored in developer environments. MSN reported that the poisoned packages on Docker Hub included base images that had been downloaded thousands of times before removal. The coordination suggested either a single group with multi-registry capability or multiple groups operating from a shared playbook.
GitHub's response came on May 22, six days after the TanStack scope became public. The company shipped staged publishing, a feature that inserts a mandatory two-factor authentication checkpoint between any publish event and the package becoming available on the registry. TechTimes called it the developer security industry's most-requested registry control. The mechanism is conceptually simple: a publish is no longer a single atomic action but a two-step process where the second step requires approval through a second factor. Stolen CI tokens, by themselves, are no longer sufficient to push a malicious package.
The staged publishing feature addressed the specific mechanism the Mini Shai-Hulud worm exploited: the fact that a compromised developer machine with a valid npm token could publish anything, and that publish would be instantly live. But it did not, and could not, address the broader trust problem. A registry is not a code reviewer. It does not inspect what a package does after installation. Staged publishing raises the cost of compromise by requiring an additional authentication factor, but it does nothing to stop a determined attacker who has phished that factor, or who has compromised a maintainer's entire development environment including their authenticator app.
On June 1, the campaign expanded again. Ars Technica reported that official Red Hat npm accounts had been compromised and used to push a malicious worm that spread from machine to machine, stealing credentials in hopes of gaining access to yet more confidential data. More than 30 packages under the @redhat-cloud-services namespace were affected. BleepingComputer confirmed that the malware was a new variant of Shai-Hulud, adapted to gather Google Cloud and Azure identities in addition to the SSH keys and environment variables the original strain targeted.
The Red Hat compromise was particularly damaging because it carried the authority of a trusted enterprise vendor. Developers who pulled @redhat-cloud-services packages had every reason to believe they were getting legitimate infrastructure tooling. The attackers had compromised a Red Hat employee's npm account, giving them publish access to the namespace directly. Red Hat removed the affected packages and rotated credentials, but by then the worm had already spread to an unknown number of downstream machines. Red Hat's public statement, as CSO Online reported, confirmed the employee account breach but did not detail how the account was compromised.
The systemic pattern was becoming clear. Each attack followed the same sequence: compromise a maintainer account or a package with publish access, inject a post-install payload that exfiltrates credentials, use those credentials to compromise more accounts and publish more poisoned packages. The worm was the mechanism. The registry was the distribution channel. The developer workstation was the target. And the ultimate objective was not any single piece of source code. It was the cloud credentials that would allow lateral movement into the infrastructure behind the code.
On June 4, BleepingComputer reported yet another strain: IronWorm, an infostealer that targeted 86 environment variables across 36 npm packages. On June 9, Dark Reading reported a Shai-Hulud variant called Miasma that had burrowed into 73 Microsoft repositories, disrupting CI/CD workflows. On June 16, SecurityWeek reported that at least 1,500 malicious packages had been published to the Arch User Repository in an attack dubbed Atomic Arch. And on June 17, Microsoft's own security blog published a detailed analysis of a separate npm compromise, attributed to the North Korean threat actor Sapphire Sleet, that had infected more than 140 projects through a poisoned Mastra package.
Microsoft's attribution to Sapphire Sleet is significant because it introduces a state-sponsored dimension to what had initially appeared to be financially motivated credential theft. Sapphire Sleet is a North Korean advanced persistent threat group known to target cryptocurrency exchanges and software supply chains for revenue generation. The Mastra compromise, according to Microsoft's analysis, used a hidden post-install payload that was deliberately difficult to detect through static analysis, a technique that requires more engineering investment than a typical commodity infostealer campaign.
What the attacks actually achieved
Despite the volume of compromised packages, public evidence of downstream impact remains limited and asymmetric. OpenAI confirmed a breach but said no customer data was affected. Mistral AI and UiPath have not publicly disclosed the extent of their exposure. Red Hat confirmed the compromise of its npm namespace but has not released a forensic timeline. Microsoft acknowledged Miasma disrupted CI/CD workflows but characterized the impact as operational rather than a data breach. The Atomic Arch campaign flooded the AUR with 1,500 malicious packages, but the AUR's user base is smaller than npm's, and Arch Linux maintainers removed the packages quickly.
What distinguishes 'an attacker could' from 'an attacker did' matters here. In every documented case, the attackers did successfully exfiltrate credentials. They did compromise maintainer accounts. They did publish malicious packages that were downloaded by real developers. They did spread from machine to machine. But what they did not do, as far as the public record shows, is pivot from stolen cloud credentials into large-scale data exfiltration from the cloud environments those credentials unlocked. That gap in the public record could mean the attacks were caught before the final stage. It could also mean the final stage has not yet been discovered.
The systemic version of a single-vendor failure
The most important question these attacks raise is not about any single vendor's response but about the ecosystem's architecture. Every major software registry operates on a trust model that was designed for a world where maintainers were identifiable, packages were reviewed by humans, and the primary threat was accidental bugs, not coordinated credential-theft campaigns. That world no longer exists. The modern software supply chain is automated, transitive, and largely invisible to the developers who depend on it. A single npm install can pull in hundreds of transitive dependencies, any one of which could have been compromised at any point in its maintenance chain.
GitHub's staged publishing addresses one failure mode, the stolen CI token. But it does not address the compromised maintainer account where the attacker also controls the second factor. It does not address the typo-squatted package that a developer installs by mistake. It does not address the legitimate package whose maintainer's machine is compromised, allowing the attacker to push a malicious update through the now-hardened publish flow. And it does not address PyPI, Docker Hub, or the AUR, each of which operates under its own security model with different controls and different gaps.
The researchers at StepSecurity and SafeDep, who flagged the three-registry attack wave, have advocated for a model where package behavior is monitored at runtime, not just inspected at publish time. That approach, sometimes called runtime attestation, would detect a post-install script that reads environment variables and exfiltrates them to an external server, regardless of how the package got published. But runtime attestation is not standard practice in any major registry today, and implementing it at scale would require a level of telemetry that many developers and organizations resist.
What the spring of 2026 demonstrated, with unusual clarity, is that supply-chain attacks have moved from a niche concern to the primary vector for compromising software-producing organizations. The attackers are no longer targeting the application. They are targeting the pipeline that builds the application. And the pipeline, in most organizations, is less defended than the application it produces. This inversion of the traditional security model is the systemic problem that the Mini Shai-Hulud campaign made impossible to ignore.
The malware exfiltrated credential material from internal code repositories after compromising two employee devices.BleepingComputer, summarizing OpenAI's security disclosure on May 14, 2026
The disclosure timeline also points to a second-order problem: the gap between when a compromise happens and when anyone knows about it. The Mini Shai-Hulud worm operated for three days before OpenAI confirmed its breach, and for five days before the full scope of 160 packages became public. The three-registry attack wave was discovered by security firms, not by the registries themselves. The Red Hat compromise was identified by external researchers. In each case, the defenders were reacting to an attack that had already succeeded, often days earlier.
The next checkpoint to watch is whether the major cloud providers will begin treating registry provenance as a condition for accessing their services. If AWS, Azure, and Google Cloud required packages to carry verifiable attestations of their build chain before the cloud credentials those packages request are honored, the credential-theft model would break at its most valuable juncture. No such requirement exists today. The credentials are available, and the registries are open. That is the architecture the attackers are counting on, and so far, it has not let them down.