Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks

https://www.securityweek.com/over-100-npm-pypi-packages-hit-in-new-shai-hulud-supply-chain-attacks/

Publish Date: 2026-06-09 07:37:11

New iterations of the Shai-Hulud supply chain attack have seriously affected the NPM and PyPI ecosystems.

Security researchers have noticed a resurgence in Shai-Hulud attack campaigns since the Group TeamPCP released the worm’s source code in mid-May 2025. Following a spate of infections, these attacks escalated in June, notably impacting Red Hat’s Hybrid Cloud Console JavaScript ecosystem with 32 compromised packages and leading to the discovery of at least 57 NPM packages, and over 300 package versions, affected by the Miasma variant. Shortly after, another variant dubbed Hades surfaced in the PyPI ecosystem, spreading a malware that executed at Python startup and exfiltrated data, similar to previous Shai-Hulud activities. By June 8, the PyPI ecosystem saw additional phantom releases of malicious packages without corresponding updates on GitHub. The combined efforts resulted in over 470 malicious artifacts identified across both the NPM and PyPI platforms.

Key Points:

Release of the source code for Shai-Hulud in mid-May led to new attack campaigns.
Significant Red Hat Hybrid Cloud Console JavaScript ecosystem infections in June.
Miasma variant identified, spreading through NPM and affecting popular packages and ecosystems.
Hades variant attacks PyPI, showing similar credential-harvesting and self-spreading behaviors.
Total identification of over 470 malicious artifacts across NPM and PyPI packages.