Hundreds of thousands of developers via 570,000+ weekly downloads of compromised packages
The npm ecosystem has transitioned from an environment of nuisance-level threats to a high-consequence battleground for supply chain attacks. A new analysis from Palo Alto Networks' Unit 42 reveals a dramatic escalation in attacker sophistication following the pivotal Shai-Hulud worm of September 2025. Recent campaigns in April 2026 demonstrate that threat actors are systematically weaponizing the software development lifecycle. These attacks feature wormable malware, persistence in CI/CD pipelines, and novel command-and-control (C2) techniques using public developer infrastructure.
Two distinct but related campaigns have been identified. The first, attributed to the threat actor TeamPCP, impersonated the Bitwarden CLI tool to steal credentials and propagate to other projects. The second, dubbed "Mini Shai-Hulud," compromised four high-volume SAP Cloud Application Programming (CAP) packages, placing enterprise developers and their cloud environments at extreme risk. Both campaigns utilize a multi-stage payload that harvests a wide range of credentials—from cloud provider keys to GitHub tokens—and uses GitHub's own APIs as a covert C2 and data exfiltration channel. This represents a critical threat to any organization relying on the npm ecosystem for software development.
The Shai-Hulud worm in September 2025 marked a watershed moment, proving the viability of self-replicating malware within the npm registry. In the months since, adversaries have built upon this foundation, creating more targeted and potent attacks. In April 2026, Unit 42 observed two major campaigns that highlight this evolution.
Campaign 1: @bitwarden/cli Impersonation (April 22, 2026)
@bitwarden/cli version 2026.4.0 impersonated the legitimate password manager's command-line tool.Campaign 2: "Mini Shai-Hulud" SAP Ecosystem Attack (April 29, 2026)
@cap-js/sqlite@1.5.0@cap-js/db-service@1.5.0@sap/cds-dk@7.9.0@sap/cds@7.9.0preinstall hook in package.json to trigger the malicious payload. This ensures code execution occurs automatically during npm install.Both campaigns demonstrate a clear intent to move beyond simple typosquatting and into the strategic compromise of critical developer tooling to gain deep, persistent access to enterprise environments.
The attack chain is initiated via a social engineering or typosquatting vector, convincing a developer to install a compromised npm package. The core of the attack relies on npm's lifecycle scripts.
Initial Execution via Lifecycle Hook: The package.json of the compromised packages was modified to include a preinstall script: "preinstall": "node setup.mjs". This command executes the setup.mjs bootstrapper file automatically before the package installation is even complete, making it a highly effective initial access vector. This is an example of T1199: Trusted Relationship, where the trust in the package manager is abused.
The Bootstrapper (setup.mjs): This initial script is a lightweight downloader. Its primary functions are:
execution.js, from a remote server.T1105: Ingress Tool Transfer.The Main Payload (execution.js): This heavily obfuscated, 11.7 MB file is the core of the operation. It functions as a comprehensive credential harvesting and propagation framework.
ctf-scramble-v2. This is a bespoke substitution cipher based on a Fisher-Yates shuffle algorithm seeded with a static value (0x3039), making it deterministic. This technique is shared with the earlier @bitwarden/cli attack, strongly linking the two campaigns.npm tokens, GitHub tokens, and SSH keys./proc memory of the GitHub Actions Runner.Worker process to extract masked secrets. This is a form of T1552.006: Unsecured Credentials: CI/CD Secrets.Covert C2 and Exfiltration via GitHub API: The malware avoids traditional C2 infrastructure by abusing GitHub's public APIs.
OhNoWhatsGoingOnWithGitHub).OhNoWhatsGoingOnWithGitHub:<base64_token>).T1071.001: Application Layer Protocol: Web Protocols for C2.Propagation and Persistence: Once a valid GitHub token is acquired, the payload performs several actions to propagate and maintain access:
claude.js, .github/workflows/auto-update.yml) into the victim's repositories.auto-update.yml file establishes persistence within the CI/CD pipeline.setup.mjs bootstrapper and modified package.json, continuing the cycle. This worm-like behavior is a form of T1036: Masquerading and lateral movement within the developer's project ecosystem.The business impact of this campaign is severe. By targeting developers and CI/CD pipelines, attackers gain privileged access at the heart of the software factory. The potential consequences include:
@bitwarden/cli@2026.4.0@cap-js/sqlite@1.5.0@cap-js/db-service@1.5.0@sap/cds-dk@7.9.0@sap/cds@7.9.0setup.mjsexecution.jsbw1.js.github/workflows/auto-update.ymlclaude.jsShai-Hulud: The Third ComingOhNoWhatsGoingOnWithGitHubLongLiveTheResistanceAgainstMachinesclaude <claude@users.noreply.github.com>chore: update dependenciesSecurity teams may want to hunt for the following patterns, which could indicate related activity:
setup.mjs or execution.js in project directories. Scan package.json files for preinstall or postinstall scripts that execute unfamiliar code.node processes with command lines like node setup.mjs. Monitor for CI/CD runner processes (e.g., Runner.Worker) that attempt to read from /proc memory or make unexpected outbound network connections.api.github.com/search/commits) from automated systems with unusual search queries.claude@users.noreply.github.com or with the message chore: update dependencies that were not part of a standard process. Search public GitHub commits for your organization's secrets or tokens.Detecting and responding to this threat requires a multi-layered approach focusing on the developer environment and CI/CD pipeline.
SIEM/Detection Rules:
node.exe or node executes a file named setup.mjs or a script from a temporary directory as part of a package installation process.package.json files that add or change preinstall/postinstall scripts, especially in automated build environments.Endpoint Detection and Response (EDR):
npm spawning a script that then attempts to access credential files (~/.aws/credentials, ~/.ssh/id_rsa).package.json and lock files.D3FEND Techniques:
D3-PA: Process Analysis to baseline normal build processes and detect anomalous behavior, such as unexpected child processes or network connections.D3-NTA: Network Traffic Analysis to monitor and filter egress traffic from build environments, blocking connections to non-allowlisted destinations.Incident Response Playbook: If a compromise is suspected, immediately rotate all developer tokens, API keys, and cloud credentials. Isolate the affected developer machines and build agents. Perform a full audit of all source code repositories and CI/CD configurations for unauthorized changes.
Mitigating these threats requires a shift-left security posture that hardens the entire software development lifecycle.
Dependency Management:
package-lock.json or yarn.lock and use npm ci instead of npm install in build pipelines. This ensures that only exact, vetted dependency versions are installed.npm audit and third-party Software Composition Analysis (SCA) tools to scan for known vulnerabilities. Do not blindly trust packages, even popular ones.Harden CI/CD Pipelines:
npm install with the --ignore-scripts flag in environments where lifecycle scripts are not required, and run scripts only for trusted dependencies.Developer Environment Security:
D3-ACH: Application Configuration Hardening by configuring package managers to use specific, trusted registries and disabling arbitrary script execution.D3-NI: Network Isolation for build agents to prevent them from communicating with attacker-controlled C2 servers or exfiltrating data.New analysis highlights developer workstations as the primary target for supply chain attacks, requiring a shift in security paradigms to protect these critical environments.
Recent campaigns like TeamPCP and 'mini Shai-Hulud' exemplify a strategic shift by threat actors to target developer workstations directly. These environments are now considered the 'epicenter' for compromising the entire software delivery lifecycle, as they contain high-value credentials, API keys, and secrets. Experts emphasize the need to treat developer machines as production environments, implementing robust endpoint security, credential hygiene, and containerized development to mitigate widespread supply chain compromise.
Red Hat npm packages compromised by 'Miasma,' a new variant of the 'Mini Shai-Hulud' worm, via compromised CI/CD pipelines.
On June 1, 2026, over 30 official Red Hat @redhat-cloud-services npm packages were compromised by 'Miasma,' a new credential-stealing worm. Miasma is identified as a variant of the 'Mini Shai-Hulud' worm, which was recently open-sourced. The attack vector involved a compromised CI/CD pipeline, leveraging GitHub Actions OIDC to publish malicious packages. The worm uses a preinstall script to harvest CI secrets, cloud credentials, SSH keys, and npm tokens, leading to self-propagation. Users who installed affected packages since June 1 are urged to rotate all credentials immediately, indicating a significant escalation in supply chain attacks.
The Shai-Hulud worm emerges, marking a new era of self-replicating malware in the npm ecosystem.
The 'Shai-Hulud: The Third Coming' campaign begins, targeting developers with a malicious package impersonating @bitwarden/cli.
The 'Mini Shai-Hulud' campaign begins, compromising four popular SAP CAP/MTA packages on npm.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.