A self-replicating malware campaign dubbed “Mini Shai-Hulud” has resurfaced, now embedding itself within hundreds of npm packages. The threat actor, identified as TeamPCP, has a history of deploying this particular campaign, with the latest variant exhibiting enhanced capabilities over previous iterations. This sophisticated attack targets the open-source software supply chain.
Researchers have analyzed the payload, describing it as a worm that spreads autonomously. It establishes persistent backdoors at the operating system level, strategically designed to survive common mitigation efforts, such as simply removing the infected package. This makes the Mini Shai-Hulud campaign a significant concern for developers and organizations relying on shared code.
The Mini Shai-Hulud Campaign Tactics
The malware is engineered to execute immediately upon the installation of an affected software package. This occurs regardless of whether the installation takes place in a developer’s local environment or within an automated Continuous Integration/Continuous Deployment (CI/CD) pipeline. A hook is activated before any other process, granting the payload immediate access to the compromised system.
Information Theft and Propagation
Once active, the malware systematically harvests sensitive information. This includes GitHub tokens, npm tokens, SSH keys, cloud provider credentials, and database connection strings. In automated build environments, the malware leverages the pipeline’s existing trust and identity to gain publishing credentials.
This allows the attacker to push malicious package versions to the registry under the guise of a legitimate maintainer’s account. The stolen data is then exfiltrated to attacker-controlled GitHub repositories. This technique of impersonation bypasses many standard security checks.
After successfully obtaining a publishing token, the malware inspects all packages accessible by that token. It then injects its malicious code into these packages and publishes new, compromised versions using the original maintainer’s credentials. Consequently, a single infected CI runner can potentially contaminate every package it has permission to publish.
Additionally, the malware scans a developer’s machine for other Node.js projects and copies itself into them. This means a single infected installation can lead to the widespread compromise of an entire workstation.
Persistence Beyond Package Removal
A critical aspect of the Mini Shai-Hulud campaign is its ability to persist even after the affected npm package is removed. Researchers have observed that standard dependency rollback procedures leave the attacker’s access intact.
The malware establishes hidden backdoors within developer tool configurations, specifically targeting files like `.vscode/tasks.json` and `.claude/settings.json`. These files remain on the disk even after the original infected npm package is deleted, providing a persistent foothold for the attackers.
Furthermore, the payload installs operating system-level background services. On Linux systems, it utilizes a systemd user service, while on macOS, it employs a LaunchAgent. Both services run a backdoor program named `kitty-monitor`, which periodically checks GitHub’s commit search for remotely signed commands. A secondary process, `gh-token-monitor`, vigilantly checks stolen GitHub tokens every minute, alerting the attacker the instant a token is revoked.
This allows the attacker to maintain access and monitor the victim’s response in near real-time, significantly extending the window of compromise long after the initial infection is detected.
Impact and Affected Packages
Multiple cybersecurity firms have identified popular dependencies that have been targeted in this wave. The campaign has specifically affected data visualization software, including Alibaba’s open-source AntV and TallyUI. It has also compromised widely used utilities like `echarts-for-react`, a React wrapper for ECharts, and `timeago.js`, a small JavaScript library for timestamp formatting.
The popularity of these packages means that even a limited number of malicious updates can create significant downstream exposure for organizations that automatically update their dependencies. Researchers advise that any machine or pipeline that installed an affected version should be treated as fully compromised until thorough security measures are implemented.
The Mini Shai-Hulud campaign remains active, and its propagation method means the number of compromised packages is expected to increase. In recent weeks, TeamPCP has targeted other prominent software libraries, including those from TanStack, UiPath, and MistralAI.
The next steps for affected organizations involve extensive auditing and remediation. This includes rotating all secrets, removing persistence artifacts, and carefully reviewing recent publishing activity. The situation underscores the ongoing challenges in securing the open-source software supply chain against sophisticated malware campaigns.