Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks

Supply‑chain attacks on open‑source software have moved from isolated incidents to coordinated campaigns, and the latest Shai‑Hulud worm exemplifies this shift. First identified in September 2025, the worm’s code was publicly released in May 2024, enabling multiple threat actors to clone and adapt it. By leveraging the post‑install hooks of NPM and the startup scripts of PyPI, the malware embeds itself in widely used libraries, turning ordinary development tools into vectors for credential harvesting and data exfiltration.

The Miasma and Hades variants illustrate the worm’s evolving tactics. Miasma injects a malicious _binding.gyp_ file into NPM packages, bypassing typical post‑install checks and deploying a multi‑stage dropper that scans for API keys, cloud tokens, and other secrets. Within weeks, analysts recorded 57 compromised NPM packages and more than 300 malicious versions, affecting ecosystems such as Vapi server SDK and Wrangler‑deploy. Hades, the PyPI counterpart, uses a *‑setup.pth* loader to fetch the Bun JavaScript runtime, then executes JavaScript payloads that mirror Miasma’s credential‑stealing behavior. Its second wave added 29 infected packages across bioinformatics, graph‑machine‑learning, and other specialized domains, employing a split‑loader technique to evade detection.

For enterprises and developers, the fallout is a stark reminder that trust in third‑party libraries is fragile. Organizations must adopt automated SBOM generation, enforce strict provenance verification, and integrate runtime monitoring that can detect anomalous post‑install activity. Community‑driven registries are also under pressure to improve vetting processes and accelerate removal of malicious artifacts. As supply‑chain threats continue to mature, a layered defense—combining tooling, policy, and developer education—will be essential to safeguard the software supply chain.