Mini Shai-Hulud Attack Forces npm to Reset Bypass-2FA Publishing Tokens

The npm registry made an urgent platform-wide move last week after supply chain attacks threatened thousands of developers. On May 19, npm invalidated every granular access token with write access that bypasses two-factor authentication, forcing maintainers to generate fresh credentials and update all automated workflows.

The reset came directly in response to a campaign known as Mini Shai-Hulud, a coordinated threat that has been chewing through the JavaScript ecosystem for nearly a month.

The attack that triggered the mass reset happened late on May 18, when threat actors seized a legitimate npm maintainer account called atool and pushed 639 malicious package versions across 323 unique packages in one automated burst.

The wave swept through the @antv data-visualization ecosystem and hit packages like echarts-for-react, which sees roughly 1.1 million weekly downloads, along with timeago.js, size-sensor, and canvas-nest.js. The speed and scale left almost no time for defenders to react.

Researchers at Socket.dev said in a report shared with Cyber Security News (CSN) that the Mini Shai-Hulud campaign had already been active for three weeks before this wave, and that the @antv breach followed an earlier compromise of 42 TanStack npm packages on May 11, including @tanstack/react-router with 12 million weekly downloads.

Socket tracked 1,055 compromised versions across 502 unique packages spanning npm, PyPI, and Composer. The group behind it has been attributed to a threat actor known as TeamPCP.

The campaign also reached further than many developers expected. GitHub disclosed that attackers exfiltrated roughly 3,800 of its internal repositories, with the entry point traced to Nx Console, a VS Code extension with 2.2 million installs.

Attackers had stolen credentials from an Nx maintainer during the TanStack compromise and used them to publish a poisoned build of the extension.

That version sat on the Visual Studio Marketplace for 18 minutes before takedown, but it was enough to deliver credentials that got the attackers inside GitHub.

Alongside the credential reset, npm also launched Staged Publishing into public preview on May 20, a feature that many in the security community believe carries far more long-term weight.

Mini Shai-Hulud Attack Forces npm

Mini Shai-Hulud is built around one core idea: steal the tokens developers use to publish packages, then push poisoned versions of every package the victim maintains.

The worm scans developer machines and CI environments for npm credentials, and because bypass-2FA granular access tokens are long-lived and parked in secret stores, they become easy targets.

Once collected, the worm republishes malicious versions automatically, turning each compromised account into a launchpad for further infections.

The campaign’s most damaging moves did not even need a stolen token. TanStack’s attackers used a chained exploit involving a Pwn Request attack, GitHub Actions cache poisoning, and real-time extraction of an OIDC token from a runner’s process memory.

The Bitwarden CLI compromise on April 23 came from directly infecting the project’s publish-ci.yml workflow. Both attacks bypassed Trusted Publishing entirely, the very control npm is now recommending as the primary defense for the broader ecosystem.

Staged Publishing and What Maintainers Should Do Now

npm’s more consequential response to Mini Shai-Hulud is Staged Publishing, which entered public preview when GitHub merged the npm stage command into CLI v11.15.0.

Under this model, automated CI publishes route through a staging area, where a maintainer must approve the release with an MFA-verified step before it reaches users.

Even if an attacker pushes a malicious version through stolen credentials, the release stalls at the staging gate until a human reviews it.

Security researcher Adnan Khan called on all npm maintainers to enable Staged Publishing immediately, calling it a direct counter to Shai-Hulud. npm creator Isaac Schlueter urged GitHub, npm, and Microsoft to disable non-MFA publishing entirely across the ecosystem.

Maintainers whose pipelines broke after the reset should generate new granular tokens and rotate every credential the environment could have touched, including GitHub tokens, AWS, GCP, and Azure credentials, SSH keys, Kubernetes tokens, Vault tokens, Stripe keys, and AI configuration files such as .claude/settings.json.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
npm Package (Compromised)	@antv ecosystem (323 unique packages)	Packages poisoned via hijacked atool maintainer account on May 18, 2026
npm Account (Hijacked)	atool	Legitimate maintainer account seized by attackers to publish 639 malicious versions
npm Package (Compromised)	echarts-for-react	Part of @antv burst; ~1.1 million weekly downloads affected
npm Package (Compromised)	timeago.js	Part of @antv ecosystem targeted in May 18 burst
npm Package (Compromised)	size-sensor	Part of @antv ecosystem targeted in May 18 burst
npm Package (Compromised)	canvas-nest.js	Part of @antv ecosystem targeted in May 18 burst
npm Package (Compromised)	@tanstack/react-router	Compromised in May 11 TanStack wave; ~12 million weekly downloads
npm Packages (Compromised)	@tanstack (42 packages total, 84 malicious versions)	TanStack wave compromise on May 11, 2026
VS Marketplace Package (Compromised)	Nx Console v18.95.0	Poisoned VS Code extension; live for 18 minutes before takedown
CI/CD File	publish-ci.yml	Bitwarden CLI workflow file directly infected on April 23, 2026
AI Config File	.claude/settings.json	Targeted by Mini Shai-Hulud worm payload for credential harvesting
Threat Actor	TeamPCP	Attribution for the Mini Shai-Hulud campaign

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.