Mini Shai-Hulud worm turns public, NCC Group warns

NCC Group has published an analysis of the Mini Shai-Hulud supply chain worm, warning that the malware has evolved into a publicly available tool for multiple attackers.

Mini Shai-Hulud is the fourth generation of a self-propagating attack that spreads through compromised open-source packages on npm and PyPI. The campaign has affected more than 170 npm packages and two PyPI packages across about 404 malicious versions, with combined weekly downloads exceeding 518 million.

The report links Mini Shai-Hulud with high confidence to the financially motivated group TeamPCP, but notes that attribution is becoming harder as the malware code spreads. According to the analysis, TeamPCP publicly released the worm's source code in May, leading to derivative campaigns including Miasma, which targeted Red Hat Cloud Services npm packages, and Hades, which targeted PyPI.

"What began as a single-actor campaign has now evolved into a publicly accessible offensive capability. As a result, future activity should not be assumed to originate from a single threat actor, and attribution is assessed to become increasingly unreliable," said Dillon Ashmore, tactical threat intelligence analyst at NCC Group.

The campaign is triggered when a developer or automated build environment installs a compromised package. Once active, the malware harvests credentials from the host system and uses them to publish trojanised versions of other packages the victim can access, allowing it to spread without further action from the original attacker.

Stolen credentials can include npm tokens, GitHub personal access tokens, AWS credentials, Kubernetes secrets, SSH keys and HashiCorp Vault tokens. Any system that has run npm install or pip install involving a compromised package version should be treated as fully compromised, NCC Group warned.

How It Spreads

The analysis outlines several delivery methods used in the latest wave. In some cases, attackers used npm preinstall hooks to execute code before installation completed. In others, they used Python startup hooks or files designed to trigger execution through developer tools and coding environments.

One branch of the activity moved beyond package registries by pushing malicious commits directly into GitHub repositories. In that version, the payload was configured to run through developer tools including Claude Code, Gemini CLI, Cursor, VS Code and the npm test script when a developer cloned an affected repository and opened it in an AI coding agent.

This broadening of execution points means defenders can no longer assume malicious activity begins only during package installation. The attack now extends into CI/CD systems, developer workstations and AI-assisted coding tools.

Controls Questioned

A central finding of the report is that common supply chain checks did not stop the attacks. The TanStack and Miasma waves produced malicious packages with valid provenance attestations from legitimate build pipelines, allowing them to pass cryptographic verification even though they contained harmful code.

That matters because organisations increasingly use provenance checks as proof that software was built in a trusted way. The report argues that those checks verify how a package was built, but not whether the build environment itself was clean.

In one example linked to TanStack, the attacker exploited a chain of weaknesses in GitHub Actions. According to NCC Group, the attacker poisoned the GitHub Actions cache, extracted OpenID Connect tokens from runner memory and then published malicious package versions carrying valid SLSA Build Level 3 provenance attestations.

Wiper Risk

The report also warns that Mini Shai-Hulud includes destructive features that complicate incident response. On systems where the malware finds valid GitHub tokens, it can install a background process that checks whether those tokens remain active.

If defenders revoke the tokens before removing the malware's persistence mechanisms, the process can trigger recursive deletion of the user's home directory. All persistence artefacts must be identified and removed before any credential rotation begins, NCC Group said.

Persistence paths highlighted in the report include Linux and macOS service files, local scripts and hooks placed in development environments such as VS Code and Claude settings. The malware can also monitor credentials for up to 24 hours before exiting automatically.

Shift In Defence

NCC Group said the wider lesson is that organisations need to move away from an approach centred on actor-specific indicators and one-off package alerts. Because the source code is now public and copycat campaigns are appearing, defenders should focus on behavioural signs such as credential harvesting, unusual process execution during installs and anomalous package publishing activity.

The report also recommends tighter separation between trusted and untrusted code in CI/CD systems, stronger control over token issuance and closer monitoring of execution routes such as npm lifecycle scripts, Python startup hooks and native build files.

Organisations that rely on open-source software need to treat dependency governance as an ongoing discipline rather than a reactive check after each campaign. "Any system that has executed npm install or pip install involving a compromised package version should be treated as fully compromised."