Shai-Hulud: What to Know About the Malware Spreading Through Software Pipelines

A malware campaign known as “Shai-Hulud” is spreading through the software pipelines developers use to build and distribute code, raising new concerns about how much of the modern internet now depends on automated systems operating with little direct human oversight.

Researchers linked the Shai-Hulud malware campaign to roughly 320 package entries across Node Package Manager (NPM) and PyPI, two of the largest online repositories developers use to download and share JavaScript and Python software packages. The affected packages collectively account for more than 518 million monthly downloads.

“Shai-Hulud is significant because it exposes a problem we cannot fully patch away: modern software is built by running other people’s code,” Jeff Williams, CTO of California-based security firm Contrast Security, told Decrypt. “Developers do not merely ‘download’ libraries. They install them, build with them, test with them, deploy with them, and eventually execute them. And if you run a malicious library, it can do almost anything you can do.”

Advances in artificial intelligence complicate the threat, Williams said, comparing Shai-Hulud to making a computer a double-agent.

“The scary part is the leverage. If an attacker compromises one obscure package, they do not just get that package,” Williams said. “They get a path into every downstream project that trusts it. Then they can steal more tokens, publish more poisoned packages, and repeat the cycle. The software supply chain is not a chain anymore—it’s a propagation network,” he added.

Earlier this month, Microsoft Threat Intelligence disclosed that attackers inserted malicious code into a Mistral AI software package distributed through PyPI. Microsoft said the malware downloaded an additional file designed to resemble Hugging Face’s widely used Transformers library so it would blend into machine-learning development environments.

Mistral later said an affected developer device was involved in the incident, but added that it had “no indication that Mistral infrastructure was compromised.”

Two days later, OpenAI confirmed malware tied to the same campaign infected two employee devices and gave attackers access to a limited number of internal code repositories. The company said it found no evidence that customer data, production systems, or intellectual property were compromised.

Shai-Hulud cometh

Named after the giant sandworms in Frank Herbert’s “Dune,” researchers traced earlier versions of the malware back to September 2025 and cybercriminals known as TeamPCP. However, the campaign drew wider attention after a major May 11 attack targeting TanStack, a widely used open-source JavaScript framework used in web and cloud applications.

Shai-Hulud is part of a growing type of supply-chain attack in which hackers compromise trusted software tools or services that other companies already use. Instead of targeting victims directly, the attackers use those trusted systems to spread malicious code or gain access to developer environments.

Researchers say the attacks poison shared build caches so future software releases would quietly pull in the malicious code. To a developer downloading the packages, everything looks normal because the software came from trusted sources, carried valid signatures, and passed the usual security checks. That’s what made the attack so unsettling.

On Sunday, cybersecurity firm OX Security reported that new malicious packages mimicking the original malware were already stealing cloud and crypto wallet credentials, SSH keys, and environment variables. At the same time, some variants attempted to turn infected machines into DDoS botnets.

“One incriminating evidence that this is a different actor from TeamPCP is that the Shai-Hulud malware code is an almost exact copy of the leaked source code, with no obfuscation techniques, which make the final version visually different from the original,” OX Security wrote. “In our breakdown, we show the side by side comparison of the chalk-template Shai-Hulud version with the original source code leak, showing that they are the same.”

News around Shai-Hulud comes as modern software developers increasingly depend on automated platforms like GitHub Actions. At the same time, supply-chain attacks targeting open-source infrastructure have grown more common as attackers increasingly focus on developer tooling and automated publishing systems, rather than end-user systems directly.

“[Shai-Hulud] is a reminder that [systems, applications, and products] attack surface now extends well beyond traditional application layers and into the open-source packages that power modern development and deployment workflows,” Joris Van De Vis, Director Security Research at Netherlands-based cybersecurity firm SecurityBridge, told Decrypt.

On Tuesday, GitHub said it was investigating unauthorized access to its internal repositories after TeamPCP claimed responsibility for stealing roughly 4,000 private repos and offered the data for sale on a cybercrime forum for at least $50,000.

According to Van De Vis, Shai-Hulud also shows how attacks targeting trusted software automation can quickly spread from developer tools into enterprise systems that companies rely on for critical operations.

“When trusted npm dependencies can be weaponized to steal credentials from [Cloud Application Programming] and [Multi-Target Application] environments, the risk is no longer just a developer laptop issue, it becomes a direct path toward productive SAP systems, which is why organizations need tighter dependency controls, exact version pinning, and stronger publishing safeguards,” Van De Vis said.