Shai-Hulud malware found in 320 npm and PyPI packages

Security teams linked the Shai-Hulud malware to roughly 320 package entries on npm and PyPI. The affected packages together account for more than 518 million monthly downloads. Researchers say the campaign used developer publishing and build tooling to spread malicious code.

OpenAI confirmed two employee devices were infected by malware tied to the campaign and that attackers gained access to a limited number of internal code repositories. The company reported no evidence that customer data, production systems or intellectual property were accessed.

Microsoft disclosed that attackers inserted malicious code into a Mistral AI package on PyPI. The malicious module fetched an additional file designed to resemble a popular machine-learning library. Mistral reported an affected developer device but said it found no indication its infrastructure was compromised.

Researchers traced earlier versions of Shai-Hulud back to September 2025. The campaign drew wider attention after a May 11 attack that targeted the TanStack open-source JavaScript framework.

The attackers abused build automation and trusted publishing workflows, including GitHub Actions, to poison shared build caches so later builds would pull in malicious components. Packages often appeared to come from legitimate sources, carried valid signatures and passed routine checks, researchers said.

Some variants were designed to download extra files that mimic commonly used libraries for machine-learning environments. Other versions have been observed stealing cloud credentials, cryptocurrency wallet keys, SSH keys and environment variables. Security teams also found variants that attempted to recruit infected machines into distributed denial-of-service botnets.

OX Security reported that active Shai-Hulud samples closely matched a previously leaked source code sample with little or no obfuscation, which the firm says may indicate a different actor reused the leaked code.

The campaign is part of a series of incidents that target developer tools and automated publishing systems rather than end-user devices. In a separate case, a poisoned Visual Studio Code extension led to the theft of about 3,800 internal repositories after an employee installed the extension; a hacker group claimed responsibility and offered the data for sale.

Jeff Williams, chief technology officer at Contrast Security, observed: “When developers run a malicious library, it can perform many actions on their systems, because libraries are executed as part of build and deployment workflows.”

Joris Van De Vis, director of security research at SecurityBridge, urged tighter dependency controls, exact version pinning and stronger publishing safeguards to limit the spread of compromised packages.

Researchers and platform operators are continuing investigations into affected packages and variants. They warn organizations to review dependency management, monitor build environments and limit the privileges granted to automated workflows while registries work on stronger publisher verification and safeguards.