#shaihulud — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #shaihulud, aggregated by home.social.
-
🪤 OpenAI caught in TanStack npm supply chain chaos after employee devices compromised
「 OpenAI says attackers behind the TanStack npm supply chain compromise stole internal credentials after reaching two employee devices, forcing the company to rotate signing certificates for several desktop products. 」
-
Malware Worm Targets npm, PyPi in Mass Supply-Chain Attack
A self-spreading worm, dubbed Mini Shai-Hulud, has infected over 170 packages with nearly 180 million weekly downloads, posing a massive threat to the software supply chain. This highly contagious malware has been open-sourced, making it easier for others to exploit and escalate the attack.
-
Research reveals that #TeamPCP hijacked OIDC tokens to poison hundreds of TanStack, Mistral AI, and UiPath packages with the self-propagating Mini Shai-Hulud worm.
Read: https://hackread.com/teampcp-mini-shai-hulud-worm-npm-pypi-packages/
-
Research reveals that #TeamPCP hijacked OIDC tokens to poison hundreds of TanStack, Mistral AI, and UiPath packages with the self-propagating Mini Shai-Hulud worm.
Read: https://hackread.com/teampcp-mini-shai-hulud-worm-npm-pypi-packages/
-
Research reveals that #TeamPCP hijacked OIDC tokens to poison hundreds of TanStack, Mistral AI, and UiPath packages with the self-propagating Mini Shai-Hulud worm.
Read: https://hackread.com/teampcp-mini-shai-hulud-worm-npm-pypi-packages/
-
Research reveals that #TeamPCP hijacked OIDC tokens to poison hundreds of TanStack, Mistral AI, and UiPath packages with the self-propagating Mini Shai-Hulud worm.
Read: https://hackread.com/teampcp-mini-shai-hulud-worm-npm-pypi-packages/
-
Research reveals that #TeamPCP hijacked OIDC tokens to poison hundreds of TanStack, Mistral AI, and UiPath packages with the self-propagating Mini Shai-Hulud worm.
Read: https://hackread.com/teampcp-mini-shai-hulud-worm-npm-pypi-packages/
-
More supply chain attacks incoming! Exciting! We are so fudged! Maybe, we''ll see.
From the Telegram channel of Breached/BreachForums:
Breached has teamed up with TeamPCP to host the first ever supply chain competition! Whoever is able to conduct the biggest supply chain operation using the now open source Shai Hulud worm will be congratulated and will receive a prize of $1000 USD in XMR from @diencracked. Make sure to read the rules posted in the announcement first.
-
More supply chain attacks incoming! Exciting! We are so fudged! Maybe, we''ll see.
From the Telegram channel of Breached/BreachForums:
Breached has teamed up with TeamPCP to host the first ever supply chain competition! Whoever is able to conduct the biggest supply chain operation using the now open source Shai Hulud worm will be congratulated and will receive a prize of $1000 USD in XMR from @diencracked. Make sure to read the rules posted in the announcement first.
-
More supply chain attacks incoming! Exciting! We are so fudged! Maybe, we''ll see.
From the Telegram channel of Breached/BreachForums:
Breached has teamed up with TeamPCP to host the first ever supply chain competition! Whoever is able to conduct the biggest supply chain operation using the now open source Shai Hulud worm will be congratulated and will receive a prize of $1000 USD in XMR from @diencracked. Make sure to read the rules posted in the announcement first.
-
More supply chain attacks incoming! Exciting! We are so fudged! Maybe, we''ll see.
From the Telegram channel of Breached/BreachForums:
Breached has teamed up with TeamPCP to host the first ever supply chain competition! Whoever is able to conduct the biggest supply chain operation using the now open source Shai Hulud worm will be congratulated and will receive a prize of $1000 USD in XMR from @diencracked. Make sure to read the rules posted in the announcement first.
-
More supply chain attacks incoming! Exciting! We are so fudged! Maybe, we''ll see.
From the Telegram channel of Breached/BreachForums:
Breached has teamed up with TeamPCP to host the first ever supply chain competition! Whoever is able to conduct the biggest supply chain operation using the now open source Shai Hulud worm will be congratulated and will receive a prize of $1000 USD in XMR from @diencracked. Make sure to read the rules posted in the announcement first.
-
#shaihulud malware #infosec
https://www.ox.security/blog/shai-hulud-open-source-malware-github/Shai-Hulud Goes Open Source: Malware Creators Leak Their Own Code to GitHub
-
Shai Hulud Campaign Targets Developers with Malicious npm Packages
Malicious actors have unleashed a barrage of 84 tainted versions of popular software packages, cleverly disguising them with legitimate credentials to deceive developers. The Shai Hulud campaign, linked to the TeamPCP threat group, has been wreaking havoc on the software supply chain since September.
#ShaiHulud #Teampcp #MaliciousNpmPackages #SupplyChain #EmergingThreats
-
💥 TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply-Chain Attack
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack -
Urgent security alert for AI developers: The 'Shai-Hulud' malware has struck PyTorch Lightning versions 2.6.2 and 2.6.3, stealing critical credentials like GitHub PATs and AWS keys, then dumping them into public GitHub repositories. This supply chain attack reveals a concerning evolution in adversary tactics, aiming for persistent control over dev environments. Learn how to secure your…
#technology #pytorchlightning #shaihulud
🤖 This post was AI-generated.
-
I didn’t know that this was even possible: A #Python package was compromised by #malware. The @pypi package #lightning versions 2.6.2 and 2.6.3 reportedly executed credential-stealing code on import:
🌍 https://semgrep.dev/blog/2026/malicious-dependency-in-pytorch-lightning-used-for-ai-training
What does this mean for all other Python packages? Do we need package #virus scanners now?
#PyPI #CyberSecurity #DataScience #OpenSource #ShaiHulud #PyTorch
-
I didn’t know that this was even possible: A #Python package was compromised by #malware. The @pypi package #lightning versions 2.6.2 and 2.6.3 reportedly executed credential-stealing code on import:
🌍 https://semgrep.dev/blog/2026/malicious-dependency-in-pytorch-lightning-used-for-ai-training
What does this mean for all other Python packages? Do we need package #virus scanners now?
#PyPI #CyberSecurity #DataScience #OpenSource #ShaiHulud #PyTorch
-
I didn’t know that this was even possible: A #Python package was compromised by #malware. The @pypi package #lightning versions 2.6.2 and 2.6.3 reportedly executed credential-stealing code on import:
🌍 https://semgrep.dev/blog/2026/malicious-dependency-in-pytorch-lightning-used-for-ai-training
What does this mean for all other Python packages? Do we need package #virus scanners now?
#PyPI #CyberSecurity #DataScience #OpenSource #ShaiHulud #PyTorch
-
Shai-Hulud Themed Malware Found in the PyTorch Lightning AI Training Library
https://semgrep.dev/blog/2026/malicious-dependency-in-pytorch-lightning-used-for-ai-training/
#HackerNews #ShaiHulud #Malware #PyTorchLightning #AITraining #CyberSecurity
-
Shai-Hulud Themed Malware Found in the PyTorch Lightning AI Training Library
https://semgrep.dev/blog/2026/malicious-dependency-in-pytorch-lightning-used-for-ai-training/
#HackerNews #ShaiHulud #Malware #PyTorchLightning #AITraining #CyberSecurity
-
Shai-Hulud Themed Malware Found in the PyTorch Lightning AI Training Library
https://semgrep.dev/blog/2026/malicious-dependency-in-pytorch-lightning-used-for-ai-training/
#HackerNews #ShaiHulud #Malware #PyTorchLightning #AITraining #CyberSecurity
-
Shai-Hulud Themed Malware Found in the PyTorch Lightning AI Training Library
https://semgrep.dev/blog/2026/malicious-dependency-in-pytorch-lightning-used-for-ai-training/
#HackerNews #ShaiHulud #Malware #PyTorchLightning #AITraining #CyberSecurity
-
Shai-Hulud Themed Malware Found in the PyTorch Lightning AI Training Library
https://semgrep.dev/blog/2026/malicious-dependency-in-pytorch-lightning-used-for-ai-training/
#HackerNews #ShaiHulud #Malware #PyTorchLightning #AITraining #CyberSecurity
-
I had to deal a bit with the "Supply-chain Levels for Software Artifacts" (SLSA) "standard":
https://slsa.dev/IMO it's a joke, since they do not properly deal with threats from "Includ[ing] a vulnerable dependency (library, base image, bundled file, etc.)". They essentially say "A future version of this standard might deal with that":
https://slsa.dev/spec/v1.2/threatsThis has been the main entry point of the past supply chain attacks (XZ backdoor, litellm, Shai-Hulud, ...). A supply-chain security standard that doesn't properly deal with vulnerabilities in dependencies completely misses the point. It's like installing alarms on your windows (to catch burglars trying to enter your home through the windows) when your front door doesn't have a lock.
#SLSA #supplychain #supplychainsecurity #xzbackdoor #ShaiHulud #litellm
-
Lieferketten-Wurm 🪱 mit eigenem #MCP-Server verbreitet sich über #GitHub | Developer https://www.heise.de/news/Lieferketten-Wurm-mit-eigenem-MCP-Server-verbreitet-sich-ueber-GitHub-11190554.html #git :git: #ShaiHulud #malware #InfoStealer
-
Supply chain worm with its own MCP server spreads via GitHub
A new malware is circulating in the npm ecosystem, stealing credentials and CI secrets and spreading autonomously.
#Developer #GitHub #IT #Malware #ShaiHulud #Softwareentwicklung #news
-
Lieferketten-Wurm mit eigenem MCP-Server verbreitet sich über GitHub
Im npm-Ökosystem kursiert eine neue Malware, die Anmeldedaten und CI-Secrets stiehlt und sich selbstständig weiterverbreitet.
#Developer #GitHub #IT #Malware #ShaiHulud #Softwareentwicklung #news
-
The #ShaiHulud worm turned trust into a weapon—compromising tokens, hijacking pipelines, & auto-publishing malware. @spoole167 explains why modern attackers aim for ecosystems, not endpoints.
Read: https://javapro.io/2025/10/02/the-shai-hulud-npm-worm-when-supply-chains-bite-back/
-
RE: https://social.troll.academy/@mushu/115937976404644181
The mono-culture that is growing from the combination of vscode/codium + nodejs + github comes with all the expected side effects. #Shaihulud was just the beginning, with below story illustrating the same vector.
Locking down all developer machines using tools from the same corporate overlords (hi Intune) somehow feels like the antivirus graft from like 20+ years ago in the windows hell scape.
-
Unplugged holes in the npm and yarn package managers could let attackers bypass defenses against Shai-Hulud https://www.csoonline.com/article/4122436/unplugged-holes-in-the-npm-and-yarn-package-managers-could-let-attackers-bypass-defenses-against-shai-hulud-2.html
-
safe-npm - Pour ne plus flipper à chaque 'npm install'
https://fed.brid.gy/r/https://korben.info/safe-npm-protection-supply-chain-attack-javascript.html
-
This 5 min video explains how to restore data and pull requests that were erased and closed during the #ShaiHulud 2.0 #cyberattack, a necessary step to recover for a large community like @openfisca.
https://videos.lescommuns.org/w/uh4zBGQ2BmjHUoG3oJfQt4
After an immediate reaction to isolate and confine, we reviewed all access rights to decrease our attack surface. We are now focusing on supporting our global community in restoring data and cleaning up attack leftovers… and maybe help other #DigitalCommons along the way 🙂 -
How we (Trigger.dev) got hit by #ShaiHulud A complete post-mortem
-
Shai-Hulud compromised a dev machine and raided GitHub org access: a post-mortem
https://trigger.dev/blog/shai-hulud-postmortem
#HackerNews #ShaiHulud #GitHub #Security #DevOps #PostMortem #CyberSecurity
-
I still owe you a follow-up to my polls on #ShaiHulud detection (https://chaos.social/@F30/115616794610419354).
Like most of you, I would have expected the malicious packages to be detected by both dependency scanners and endpoint protection.
The truth? Trivy and OWASP Dependency-Track failed to detect the compromised versions out of the box, as well as many antivirus engines. This has a lot to do with how advisories got issued and vulnerability information gets distributed.
-
I resigned: no one at the company was willing to take responsibility or to delegate authority to take action as we suspected of being hit by #ShaiHulud.
As the Godfather once said: "they talk when they should listen".
-
Le ver auto-réplicatif #ShaiHulud 2.0 sévit sur npm! 🚨 Plus de 800 paquets et 25 000 dépôts GitHub compromis. Ce malware vole massivement des secrets (tokens, clés AWS/GCP/Azure, API). Une menace majeure pour la supply chain JavaScript. Vérifiez vos dépendances et soyez vigilants! Article complet sur notre blog.
⚡️ https://linkeaz.net/fr/posts/shai-hulud-npm-worm-supply-chain -
Podcast "Passwort" 46: News von Würmern, Schluckauf und Husten
Die Jahreszeit erzeugt auch in der Security-Branche allerlei Malaisen: Cloudflare verschluckt sich bös, NPM hat wieder Wurmbefall – und Christopher hustet.
#IT #JavaScript #Journal #Malware #PasswortPodcast #Podcast #Security #ShaiHulud #news
-
That what finally convince Anthrophic
A totally new business model 😜Just joking.
The #ShaiHulud trojan poses as Bun by using a loader script called setup_bun.js.
But this script has nothing to do with Bun -
> PyPI has not been exploited, however some PyPI credentials were found exposed in compromised repositories.
Maintaining a mono-repository has numerous side-effects 😱
-
Bless The Maker and His water. Bless the coming and going of him.
