A malicious campaign dubbed Mini Shai-Hulud has compromised 314 npm packages, marking the latest large-scale supply chain attack targeting JavaScript developers. The breach affected multiple popular libraries in the Node.js ecosystem.
Security researchers at SafeDep identified the coordinated attack, which involved injecting malicious code into legitimate npm packages. The compromised libraries were designed to capture sensitive data from developer environments and end-user systems.
■ Attack Details
The campaign used a sophisticated approach, maintaining the appearance of legitimate package updates while embedding malware. Affected packages remained available on the npm registry for extended periods, potentially exposing thousands of projects to the threat.
The malicious code variants were designed to exfiltrate environment variables, authentication tokens, and system information. Some versions targeted specific frameworks and build environments commonly used in production deployments.
■ Response and Scope
npm took action to remove the compromised packages from its registry after the discovery. However, the scale of the attack—314 affected packages—suggests widespread exposure across the developer community.
Developers using affected packages are advised to:
- Audit recent dependency updates
- Review package integrity in their projects
- Check for suspicious activity in connected services
- Rotate any exposed credentials
■ Broader Context
The attack follows a pattern of increasing sophistication in npm ecosystem compromises. Threat actors continue to target the package manager as a vector for mass distribution of malware, leveraging the trust developers place in open-source libraries.
The incident underscores the ongoing vulnerability of package managers and the importance of supply chain security practices. Security tools that monitor package behavior and dependencies are becoming essential infrastructure for development teams.
Full details are available on the SafeDep security advisory.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.
Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.
A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.