Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised
A significant security breach has affected 314 npm packages, with the attacker publishing 631 malicious versions in a short span. The compromised packages include popular libraries such as size-sensor and echarts-for-react, which collectively have millions of downloads. The malware is designed to harvest a wide range of credentials and exfiltrate data to public GitHub repositories, posing a serious risk to developers and organizations using these packages.
- ▪The npm account atool was compromised on May 19, 2026.
- ▪The attacker published 631 malicious versions across 314 packages in a 22-minute automated burst.
- ▪The payload harvests credentials across various platforms and exfiltrates data to public GitHub repositories.
Opening excerpt (first ~120 words) tap to expand
Back to Blog Mini Shai-Hulud Strikes Again: 314 npm Packages CompromisedMalware SafeDep Team• May 19, 2026 • 24 min readTable of Contentsfunction l(){const t=document.querySelectorAll(".prose h1, .prose h2"),e=document.getElementById("toc-nav");if(!e||0===t.length)return[];const n=Array.from(t).map(((t,e)=>{const n=t.id||`heading-${e}`;return t.id=n,{id:n,text:t.textContent||"",level:parseInt(t.tagName.charAt(1),10)}}));return e.innerHTML="",n.forEach((t=>{const n=document.createElement("a");n.href=`#${t.id}`,n.textContent=t.text,n.dataset.level=t.level.toString(),n.className=`\n block text-body1-regular font-body transition-colors duration-200 hover:text-primary-300 truncate lg:max-w-[228px]\n ${1===t.level?"pl-0 text-neutral-300 font-medium":"pl-4 text-neutral-400"}\n…
Excerpt limited to ~120 words for fair-use compliance. The full article is at SafeDep - Real-time Open Source Software Supply Chain Security.
Discussion
0 comments
