Skip to main content
Emerging ThreatsMalware & Ransomware

Malware Campaign Compromises Hundreds of npm Packages

Brightly-lit coding workstation with laptop, notes, and software materials scattered around.
“If any of the affected packages ran in your environment, treat the machine or runner as exposed until secrets are rotated, persistence artifacts are removed, and recent publish activity has been reviewed,” Aikido Security researchers wrote in a blog post.

TeamPCP’s Mini Shai‑Hulud has returned and scaled up

Mini Shai‑Hulud, a self‑replicating malware campaign, has resurfaced in a new, more capable variant that embeds itself across hundreds of npm packages. The threat actor tracked as TeamPCP has been linked to earlier waves of the campaign, and researchers report this iteration is able to spread more aggressively and survive common remediation steps. The campaign remains active and, according to analysts, is expected to expand because the worm propagates using tokens stolen from infected environments.

Execution at install time: immediate access and credential harvesting

Researchers analyzing the payload found the malware executes the moment an affected package is installed, whether in a developer’s local environment or inside a CI/CD pipeline. A hook fires before any other step, giving the payload immediate access to the machine. The code harvests GitHub tokens, npm tokens, SSH keys, cloud provider credentials, and database connection strings, then exfiltrates that data to attacker‑controlled GitHub repositories.

In automated build environments the malware exploits the pipeline’s trusted identity to obtain publishing credentials and push poisoned package versions to the registry under a legitimate maintainer’s name. After stealing a publishing token, it enumerates every package that token can access, adds its code to those packages, and publishes new poisoned versions. One infected CI runner can therefore taint every package that runner is allowed to publish.

Persistence mechanisms that survive package removal

Removing the npm package does not reliably remove the attacker’s foothold. Researchers found the malware embeds backdoors in developer tool settings — notably .vscode/tasks.json and .claude/settings.json — which remain on disk even after the npm package is removed and therefore must be audited and cleaned. The payload also installs OS‑level background services: a systemd user service on Linux and a LaunchAgent on macOS. Both run a backdoor called kitty‑monitor, which polls GitHub’s commit search every hour for signed remote commands.

A second process, gh‑token‑monitor, checks stolen GitHub tokens every 60 seconds and alerts the attacker the moment one is revoked. Together these components allow an attacker to maintain access and monitor victim response in near real time, long after the initial infection has been discovered.

Packages targeted and downstream exposure

Multiple security companies have pointed to specific, widely used dependencies touched in this wave. Researchers named popular data‑visualization software — including Alibaba’s open‑source AntV and TallyUI — as well as utilities such as echarts‑for‑react and timeago.js. Socket, an application security company, warned that “Even if only a subset of those packages received malicious updates, the popularity of the package ecosystem creates meaningful downstream exposure for organizations that automatically pull new dependency versions.”

Because the malware copies itself into other Node.js projects on an infected developer workstation, a single compromised install can spread across a developer’s projects as well as across repositories published by an infected CI runner. Last week, the actor also targeted other prominent libraries with the malware, including TanStack, UiPath, and MistralAI.

What this means for developers, CI teams, and open‑source maintainers

  • Developers and security teams: follow Aikido Security’s guidance — treat any machine or runner that installed an affected version as exposed until secrets are rotated, persistence artifacts are removed, and recent publish activity has been reviewed. Audit .vscode/tasks.json and .claude/settings.json and look for systemd user services or LaunchAgents associated with kitty‑monitor or gh‑token‑monitor.
  • CI teams and maintainers: review recent publish activity for unexpected releases, recognize that a pipeline’s trusted identity can be abused to publish under a legitimate maintainer’s account, and expect that one compromised runner can lead to broad supply‑chain contamination.
  • Organizations that automatically pull dependency updates: be aware that popularity of a package increases downstream exposure; researchers warned that the campaign’s propagation model means the number of affected packages is likely to grow.

The Mini Shai‑Hulud campaign combines rapid, automated propagation with persistence designed to outlast simple rollbacks or package removals. Because the malware both steals publication credentials and embeds OS‑level backdoors that report token revocations and accept remote commands, defenders must assume infection can extend beyond the initial package and persist across remediation attempts. This is a developing story and will be updated as information becomes available.

Original reporting: CyberScoop — Mini Shai‑Hulud returns, compromising hundreds of npm packages