A fresh Mini Shai-Hulud supply chain attack compromised more than 320 NPM packages, spreading through GitHub Actions and a VS Code extension to affect widely used developer and CI/CD environments. Researchers say the campaign also targeted Microsoft’s Durabletask Python SDK and used stolen credentials, GitHub-hosted payloads, and republished malicious packages to expand its reach. #MiniShaiHulud #TeamPCP #timeagojs #echartsforreact #Durabletask
Keypoints
- Over 320 NPM packages were hit in the latest Mini Shai-Hulud campaign.
- The NPM maintainer account atool was compromised and used to publish malicious package versions.
- The attack spread to echarts-for-react and other popular packages, impacting CI environments.
- Malicious code stole GitHub Actions secrets and credentials from cloud, vault, and wallet paths.
- Microsoft’s Durabletask Python SDK and actions-cool/issues-helper were also compromised in the campaign.
Read More: https://www.securityweek.com/over-320-npm-packages-hit-by-fresh-mini-shai-hulud-supply-chain-attack/