4 malicious npm packages with 3,006 downloads spread stealers and Phantom Bot, forcing removals and secret rotation.
Ravie LakshmananMay 18, 2026Supply Chain Attack / Botnet
Cybersecurity researchers have discovered four new npm packages containing information-stealing malware, one of which is a clone of the Shai-Hulud worm open-sourced by TeamPCP.
The list of identified packages is below -
chalk-tempalte (825 Downloads)
@deadcode09284814/axios-util (284 Downloads)
822K Downloads at Risk: Malicious node-ipc Versions Spotted Stealing AWS and Private Keys
OpenAI caught in TanStack npm supply chain chaos after employee devices compromised
Cyber-Enabled Cargo Crime: How Cybercrime Tradecraft is Used to Steal Freight
Popular node-ipc npm package compromised to steal credentials
OpenAI confirms security breach in TanStack supply chain attack
Slowmist confirmed three malicious node-ipc npm versions on May 14, 2026, stealing AWS keys, SSH secrets, and .env files via DNS…
Six-minute supply chain blitz pushed 84 malicious versions with credential theft and disk-wiping code
TeamPCP’s Mini Shai-Hulud campaign used hijacked GitHub OIDC tokens to spread a credential-stealing worm through TanStack npm…
Hundreds of packages across npm and PyPI have been compromised in a new Shai-Hulud supply-chain campaign delivering…
Where it’s been well and truly forked, seemingly without Microsoft’s code locker noticing
Hundreds of software packages are affected, once again threatening enterprise credentials on coders’ machines.
