Hackers Have Compromised Dozens of Popular Open Source Packages in an Ongoing Supply-Chain Attack

The latest wave of supply‑chain attacks surfaced on May 19, when cybersecurity firms StepSecurity and SafeDep reported that threat actors hijacked a developer’s account and pushed more than 630 malicious releases across 317 open‑source packages in roughly 20 minutes. The rapid distribution leveraged the trust inherent in npm‑style registries, allowing the code to flow downstream to thousands of applications. Researchers have labeled the campaign “Mini Shai‑Hulud,” noting its similarity to earlier, larger‑scale intrusions that also exploited open‑source maintainers.

The malicious payloads are designed to harvest credentials for password managers and cloud services, turning compromised development environments into footholds for broader data exfiltration. High‑profile victims such as Alibaba’s Antv library and two OpenAI engineers—through the TanStack library—illustrate how quickly a single compromised maintainer can affect industry leaders. Enterprises that embed third‑party components without rigorous verification now face heightened risk, prompting a shift toward mandatory two‑factor authentication for maintainers and stricter code‑review pipelines.

Security teams are responding by tightening software‑bill of materials (SBOM) practices, integrating automated provenance checks, and encouraging the adoption of signed packages. The Mini Shai‑Hulud incidents underscore the need for a coordinated industry effort, including faster vulnerability disclosure and shared threat intelligence. As open‑source remains the backbone of modern development, organizations that invest in proactive supply‑chain defenses will be better positioned to mitigate future attacks and protect both their codebases and end‑user data.