Shai Hulud attack ships signed malicious TanStack, Mistral npm packages
Summary
Hundreds of software packages on npm (Node Package Manager) and PyPI (Python Package Index) were compromised in the Shai-Hulud attack campaign, which used stolen OIDC tokens (authentication credentials that verify a developer's identity) to publish malicious versions with valid cryptographic signatures, making them appear legitimate. The malware targets developer credentials like GitHub tokens, AWS secrets, and SSH keys, then hides itself in code editor auto-run tasks so uninstalling the packages doesn't remove it. The attack affected popular projects including TanStack, Mistral AI, Bitwarden, and others.
Classification
Affected Vendors
Related Issues
Original source: https://www.bleepingcomputer.com/news/security/shai-hulud-attack-ships-signed-malicious-tanstack-mistral-npm-packages/
First tracked: May 12, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 95%