4 malicious npm packages with 3,006 downloads spread stealers and Phantom Bot, forcing removals and secret rotation.

Slowmist confirmed three malicious node-ipc npm versions on May 14, 2026, stealing AWS keys, SSH secrets, and .env files via DNS tunneling.

4 malicious npm packages with 3,006 downloads spread stealers and Phantom Bot, forcing removals and secret rotation.

The Shai-Hulud malware leaked last week is now used in new attacks on the Node Package Manager (npm) index, as infected packages emerged over the weekend.

The largest incident yet is a warning that developers should urgently check package security, say experts.

Plus three other stealers in three other packages, all from the same scumbag

Mini Shai-Hulud hits @antv and echarts-for-react via npm maintainer compromise, exposing 1.1M weekly downloads to credential theft.

Popular JavaScript modules including size-sensor and echarts-for-react hit as hijacked account closed GitHub warnings

Threat actors earlier today published more than 600 malicious packages to the Node Package Manager (npm) index as part of a new Shai-Hulud supply-chain campaign.

A self-replicating worm that hijacks GitHub Actions pipelines to publish malicious npm packages has struck again, compromising AntV, echarts-for-react,

A fresh Mini Shai-Hulud supply chain attack has hit over 320 NPM packages, along with GitHub Actions and a VS Code extension.