In short
- The Shai-Hulud malware program has been compiled with about 300 npm and PyPI scripts.
- OpenAI, Microsoft, and Mistral AI revealed recent developments related to Shai-Hulud.
- The malware exploited GitHub Actions and trusted work publishing programs.
A criminal campaign known as “Shai-Hulud” is spreading through the pipelines that software developers use to build and distribute code, raising new concerns about how much of today’s Internet relies on machines operating without human supervision.
Researchers linked the Shai-Hulud malware campaign to approx 320 pack entries via Node Package Manager (NPM) and PyPI, two of the largest web repositories used to download and share JavaScript and Python programs. The affected packages have more than 518 million monthly downloads.
“Shai-Hulud is important because it exposes a problem we can’t solve: modern software is built using third-party code,” said Jeff Williams, CTO of the California-based security firm. Differentiation of Securityhe said Decrypt. “Developers don’t just download libraries, they install them, build with them, test with them, use them, and finally complete them.”
Advances in artificial intelligence pose a threat, Williams said, comparing Shai-Hulud to making the computer a dual agent.
“The scary part is exploitability. If an attacker can tamper with one unknown package, they don’t just take that package,” Williams said. “They find their way to any grassroots project they believe in.” They can then steal more tokens, spread more lethal packets, and repeat the cycle. The software delivery system is no longer a chain – it’s a distribution network,” he added.
Earlier this month, Microsoft Threat Intelligence to be revealed that attackers inserted malicious code into the Mistral AI software distributed via PyPI. Microsoft said the malware downloaded an extension file designed to mimic the Hugging Face library used by Transformers so it would integrate with machine learning environments.
Mistral later said a support instrument was involved in the incident, but added that “there is no indication that Mistral’s equipment was damaged.”
Two days later, OpenAI it has been confirmed malware linked to the same campaign compromised two employees’ devices and gave attackers access to several internal codes. The company said it found no evidence that customer information, manufacturing systems, or intellectual property were compromised.
Shai-Hulud came
They are called giant sand worms in “Dune” by Frank Herbert, explorers to follow Previous versions of the malware until September 2025 are cybercriminals known as TeamPCP. However, the campaign gained more attention after the May 11 terrorist attacks Photos of TanStackan open source JavaScript framework widely used on the web and in the cloud.
Shai-Hulud is part of a growing threat where hackers compromise trusted software tools or services that other companies already use. Instead of targeting victims directly, attackers use these trusted systems to spread malicious code or gain access to software.
The researchers say that the malware shares caches so that future programs can silently download the malicious code. To the developer who downloads the packages, everything looks good because the software is from a trusted source, carries valid signatures, and passes regular security checks. This is what made the attack less alarming.
On Sunday, cybersecurity company OX Security report that new malicious packages imitating the original malware were already stealing the cloud and crypto wallet credentials, SSH keys, and environment variables. At the same time, other brands tried to turn infected machines into DDoS botnets.
“One piece of evidence that this is a different actor than TeamPCP is that Shai-Hulud’s criminal code is almost an exact copy of the leaked source, without any tampering methods, which makes the final version different from the previous one,” OX Security wrote. “In our breakdown, we show a side by side version of the Shai-Hulud chalk with a leaked code, showing that they are the same.”
The news surrounding Shai-Hulud comes at a time when developers are increasingly relying on platforms like GitHub Actions. At the same time, chain-attacks targeting open source platforms have become more common as attackers focus on software development tools and printers, rather than end-users directly.
“(Shai-Hulud) is a reminder that (systems, services, and products) attacks are now moving beyond traditional components and into open source packages that support modern development and deployment,” said Joris Van De Vis, Director of Security Research in the Netherlands. SecurityBridgehe said Decrypt.
On Tuesday, GitHub said search unauthorized access to its internal sites after TeamPCP reported that it had stolen approximately 4,000 sites and provided information that could be sold on a cyber crime forum for at least $50,000.
According to Van De Vis, Shai-Hulud also shows how attacks targeting trusted software systems can quickly spread from the business infrastructure that companies rely on for critical information.
“When trusted npm users can have tools to steal information from (Cloud Application Programming) and (Multi-Target Application), the threat is not just a laptop problem, it becomes a direct path to SAP production systems, which is why organizations need high-dependency control, real printing, and strong De Vi printing security.
Daily Debrief A letter
Start each day with top stories right here, including originals, podcasts, videos and more.
