Executive Summary

The security of the npm ecosystem reached a critical inflection point in September 2025. The Shai-Hulud worm, a self-replicating malware that automated the compromise and redistribution of malicious packages, marked the end of the “nuisance” era of npm attacks and the beginning of a high-consequence threat landscape.

Since that watershed moment, Unit 42 has tracked an aggressive acceleration in the frequency and technical depth of supply chain compromises. Attacks have evolved from a series of isolated typosquatting incidents into systematic campaigns by various threat actors to weaponize the trust that powers modern software development.

We have seen two campaigns in April: the first started April 22, 2026 and included the string Shai-Hulud: The Third Coming. The second started April 29, 2026 and is known as Mini Shai-Hulud.

The New Baseline for npm Threats

The Shai-Hulud incident proved that the npm registry could be used as a force multiplier for malware distribution. In the months following, we have observed three core shifts in adversary TTPs:

Wormable propagation:Malicious payloads now prioritize the theft of npm tokens and GitHub Personal Access Tokens (PATs) to automatically infect and republish legitimate packages, as seen in the March 2026 Axios compromise.Infrastructure-level persistence:Attackers are no longer just stealing data; they are embedding themselves into continuous integration/continuous delivery (CI/CD) pipelines to attain long-term, undetectable access to enterprise environments.Multi-stage payloads:Following the September 2025 template, current attacks often deploy dormant “sleeper” dependencies that only activate under specific environmental conditions to evade automated scanners.

npm Attacks Seen As a Whole

npm compromises have common themes. In the post-Shai-Hulud era, we believe it is helpful to consider the attack surface as a whole.

This article will combine:

Details of major incidents:Real-time analysis of significant package compromises (e.g.,*Shai-Hulud 2.0*,*Axios*,*Chalk/Debug*)Cross-campaign correlation:Identifying common infrastructure or code snippets that link disparate attacks to the same threat actorsRemediation playbooks:Actionable guidance for rotating credentials and purging malicious dependencies from local and cloud-based caches

Shai-Hulud: A New Wave

A malicious npm package published as @bitwarden/cli version 2026.4.0 was identified as part of a broader supply-chain campaign attributed to TeamPCP. The package impersonates the legitimate Bitwarden command-line interface (CLI) password manager. Upon installation, it executes a multi-stage payload that steals credentials from cloud providers, CI/CD systems and developer workstations. It then self-propagates by backdooring every npm package the victim can publish. It has been noted that inside public GitHub repositories that were published contained the string “Shai-Hulud: The Third Coming.”

Attackers deployed the same payload across multiple Checkmarx distribution channels, indicating a coordinated campaign to weaponize compromised developer tooling credentials to maximize the area of impact:

• Docker Hub images
• GitHub Actions
• VS Code extensions

Palo Alto Networks customers are better protected from the threats described in this article through the following products and services:

The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk.

Related Unit 42 Topics |

Supply Chain, Credential Harvesting, Obfuscation, Backdoor |

April 2026 - Shai Hulud: A New Wave

Late April Mini Shai-Hulud Wave

As of April 29, 2026, a new supply chain attack wave (dubbed Mini Shai-Hulud) is actively targeting the SAP developer ecosystem via four compromised npm packages.

The affected versions are:

• @cap-js/sqlite@2.2.2
• @cap-js/postgres@2.2.2
• @cap-js/db-service@2.10.1 mbt
• @1.2.48

Combined, these packages carry approximately 570,000 weekly downloads, with @cap-js/sqlite and @cap-js/db-service each pulling around 250,000 and 260,000 downloads, respectively.

All four packages are part of SAP's Cloud Application Programming (CAP) Model and multitarget application (MTA) build toolchain. This makes the targets of this attack enterprise developers and CI/CD pipelines with access to cloud credentials, GitHub tokens and deployment secrets.

The campaign is a close structural continuation of the @bitwarden/cli@2026.4.0 compromise earlier in April 2026. It uses the same toolchain, same obfuscation and same propagation logic, which is now turned against the SAP ecosystem.

Attack Mechanism

Each compromised package received two new files:

• setup.mjs
• execution.js

These files arrived along with a modified package.json that adds a preinstall lifecycle hook ("preinstall": "node setup.mjs"). This means the malicious code executes automatically during the npm install process, before the installation is complete. The setup.mjs bootstrapper detects the host OS and architecture, then performs the following activities:

• Downloading the Bun JavaScript runtime (v1.3.13) from the official github[.]com/oven-sh/bun releases
• Extracting the runtime to a temporary directory
• Immediately using it to execute execution.js

Payload Capabilities

The 11.7 MB single-file, obfuscated credential stealer, execution.js, is a propagation framework. It performs the following activities:

• Using a custom string scrambling layer labeled

ctf-scramble-v2to hide sensitive strings from static analysis - Including a Russian locale killswitch (exiting silently if the system locale is set as ru)

• Daemonizing itself on non-CI machines to run in the background

It harvests the following information:

• GitHub tokens (including gh auth token output)
• npm tokens from .npmrc
• Full environment variable blocks
• GitHub Actions secrets
• AWS STS identity
• Secrets Manager and SSM parameters
• Azure Key Vault secrets
• GCP Secret Manager values
• Kubernetes service account tokens
• Claude and MCP configuration files
• Electrum wallets
• VPN configs

A particularly aggressive CI path uses an embedded Python helper that reads the /proc memory of the GitHub Actions Runner.Worker process to extract masked secret values.

All collected data is:

• Compressed
• AES-256-GCM encrypted with a key wrapped under an embedded RSA public key
• Exfiltrated to freshly created public GitHub repositories with randomized Dune-themed names and the description A Mini Shai-Hulud has Appeared

Propagation and GitHub Dead Drop

The campaign uses GitHub's public commit search API as a covert command and control (C2) channel. The malware performs the following activities:

• Searching for commits containing the keyword OhNoWhatsGoingOnWithGitHub
• Decoding matching commit messages as a token dead-drop to recover stolen GitHub tokens
• Using them to spread

Once a usable token is obtained, the payload:

• Copies itself into execution[.]js
• Writes setup.mjs
• Sets "preinstall": "node setup.mjs" in package.json
• Increments the patch version
• Repacks the tarball for publishing

The malware also pushes the following files directly into victim repositories:

• .vscode/setup.mjs
• .claude/execution.js
• .claude/settings.json

The malware pushes the above files using commits authored as claude <claude@users.noreply.github.com> with the message chore: update dependencies.

The three forensic links to @bitwarden/cli@2026.4.0 are precise enough to indicate shared authorship or a directly reused toolchain.

1. The setup.mjs preinstall bootstrapper. In the Bitwarden campaign, setup.mjs was the self-replication artifact the worm (bw1.js) injected into every npm package the victim could publish. The SAP packages use that same filename as their bootstrapper, and the two share clear common lineage: same Bun version (1.3.13), same Alpine/musl detection logic and the same

📌 来源: Palo Alto Unit42 | 📅 2026-04-24