AI Threat Protection

Your engineering team loves AI, and the bad guys do too

Executing a sophisticated supply chain attack used to require time, resources, and a skilled team. AI has removed all three constraints. Attacks now move at machine speed, and businesses can't keep up — except the ones protected by Chainguard.

Talk to an expert Create a free account

Major malware attacks on open source

A running record of the supply chain attacks targeting open source registries. Each entry below breaks down what happened, the impact, how to remediate, and why Chainguard customers were not affected.

May 22, 2026

An attacker compromised the maintainer of the Laravel-Lang GitHub organization and, in a 15-minute automated burst, rewrote every git tag across four popular Composer packages. The rewritten tags inject a malicious autoload file that fires the moment any Laravel application boots, dropping a hidden PHP loader that harvests cloud credentials, CI secrets, browser passwords, SSH keys, and cryptocurrency wallets to a typosquatted domain before deleting itself from disk.

Maintainer Compromise

Attack overview

Compromised artifacts

Packagist Packages:

laravel-lang/lang (502 versions)laravel-lang/attributes (86 versions)laravel-lang/http-statuses (66 versions)laravel-lang/actions (46 versions)

The attacker rewrote every existing git tag rather than publishing new versions, so any project running composer update or doing a fresh install resolved to poisoned code. Unlike typical registry compromises, no malicious code was committed to the official repositories. Instead, the attacker rewrote tags to point at commits in an attacker-controlled fork, leaving official commit histories clean. Attackers injected malware across 650+ versions across four packages were rewritten in approximately 15 minutes, indicating org-level credential compromise. The payload abuses Composer's autoload.files mechanism to register a dropper—a first-stage loader that fetches and executes the credential stealer—at every application startup. The second-stage payload is a full credential-harvesting framework with 17 distinct collectors targeting AWS/GCP/Azure cloud metadata, Kubernetes service account tokens, HashiCorp Vault secrets, CI/CD pipeline tokens (Jenkins, GitLab, GitHub Actions, CircleCI), browser login data (with a dedicated binary to bypass Chrome v127+ App-Bound Encryption), password managers (1Password, Bitwarden, LastPass, KeePass), cryptocurrency wallets, VPN configurations, SSH keys, and environment variables. Stolen data is XOR-encrypted and exfiltrated to an attacker-controlled domain before the dropper self-deletes from disk after execution, while continuing to run from memory, making forensic detection on live systems difficult. The full downstream impact is still to be understood.

Pin Composer dependencies by committing composer.lock to version control and running composer install instead of composer update in CI. A committed lockfile with a pre-attack SHA would have prevented this entirely.

Inspect composer.lock for these packages. If the lockfile was regenerated on or after 2026-05-22 23:41 UTC, treat the environment as compromised.

Rotate all secrets accessible to the compromised environment: CI tokens, cloud credentials, GitHub PATs, and deploy keys.

Block egress to flipboxstudio[.]info on all CI runners and developer machines.

Audit outbound DNS and HTTPS logs retroactively for requests to flipboxstudio[.]info to determine whether exfiltration occurred before the block was in place.

Check running processes for orphaned php and unnamed ELF processes with ppid=1 executing from deleted paths under /tmp.

Check /tmp/.laravel_locale/ for the dropper's execution marker — its presence confirms the dropper ran on that host.

Inspect git commit author metadata in vendor/laravel-lang/ for Your Name you@example.com — a direct indicator of malicious commits.

Chainguard protection

UNAFFECTED Chainguard Artifacts

Why Chainguard is safe

Chainguard's Laravel container image is built from verified upstream source and does not pull dependencies from Composer at runtime. The compromised laravel-lang packages were distributed through rewritten git tags on GitHub, which only affect environments that resolve Composer dependencies dynamically. Chainguard container images pin all dependencies at build time against verified source, so the poisoned tags were never incorporated.

May 19, 2026

@antv / Mini Shai-Hulud Wave 5

A compromised npm maintainer account published 639 malicious package versions across 323 packages in Alibaba’s AntV data visualization ecosystem in a 22-minute automated burst — the latest wave of Mini Shai-Hulud, the self-propagating npm supply chain worm that has hit CrowdStrike packages, the Nx build system, and TanStack over the past eight months. The payload fires via preinstall lifecycle hooks, sweeps 130+ credential file patterns, scrapes GitHub Actions runner memory to bypass secret masking, and exfiltrates via an OpenTelemetry-disguised HTTPS endpoint and a GitHub dead-drop under the victim's own account. Persistent backdoors are installed into Claude Code and VS Code configurations, and a long-lived C2 daemon enables arbitrary code execution on compromised machines indefinitely.

Install-Time Script

Attack overview

Compromised artifacts

echarts-for-react@3.0.7, 3.1.7, 3.2.7timeago.js@4.1.2, 4.2.2size-sensor@1.0.4, 1.1.4, 1.2.4@antv/scale@0.6.2, 0.7.2@antv/g6@5.2.1, 5.3.1

The compromised packages collectively represent approximately 16 million weekly downloads spanning enterprise data visualization, charting, graph visualization, geospatial mapping, and spreadsheet rendering. The payload harvests the full AWS credential chain, Google Cloud, Azure, GitHub tokens, npm publish tokens, SSH keys, Kubernetes service account tokens, HashiCorp Vault tokens, Stripe keys, database connection strings, cryptocurrency wallets, and Claude AI API credentials. In GitHub Actions environments, the payload reads Runner.Worker process memory directly via /proc/[pid]/mem, recovering every masked secret in plaintext. A self-replicating worm component uses stolen npm tokens to automatically poison additional packages, extending the blast radius beyond the initial atool account compromise. Over 2,500 attacker-created GitHub repositories are publicly visible, each representing a confirmed credential theft from a unique environment.

Clear caches and reinstall using pinned package versions published before 2026-05-19 01:39 UTC.
Remove persistence before rotating credentials: stop and disable kitty-monitor systemd service (Linux) or LaunchAgent (macOS), delete ~/.local/share/kitty/cat.py, ~/.local/bin/gh-token-monitor.sh, .claude/settings.json, .claude/setup.mjs, .vscode/tasks.json, .vscode/setup.mjs, and .github/workflows/codeql.yml.
Rotate all credentials in this order: npm tokens, GitHub PATs and Actions secrets, AWS keys, GCP service accounts, Azure service principals, Kubernetes service account tokens, Vault tokens, SSH keys, database connection strings, and all remaining API keys.
Audit GitHub account for unexpected public repositories with Dune-universe names or the description niagA oG eW ereH :duluH-iahS.
Block t.m-kosche.com at the network perimeter for all CI runners and developer machines.

Chainguard protection

UNAFFECTED Chainguard Artifacts

JavaScript Libraries

Why Chainguard is safe

Mini Shai-Hulud delivers its payload exclusively via npm lifecycle hooks: preinstall, postinstall, and prepare. Mini Shai-Hulud delivers its payload exclusively via npm lifecycle hooks: preinstall, postinstall, and prepare. Chainguard builds JavaScript libraries from source and does not include packages that require install-time scripts. The malicious AntV versions were never built into the Chainguard Libraries catalog, and the hooks that trigger the payload were never present. Customers using Chainguard Repository's upstream npm fallback are also protected — the default cooldown policy blocked the malicious versions from being served during the 39-minute attack window.

May 14, 2026

An attacker published three malicious versions of node-ipc directly to npm, injecting a credential harvester into the CommonJS entry point while leaving the ESM entry point clean. The payload fires on every require('node-ipc'), sweeps over 90 credential file patterns, and exfiltrates via DNS TXT queries to Google DNS and HTTPS POST to a typosquatted Azure domain.

Backdoored package

May 11, 2026

Mini Shai Hulud: npm & PyPI Worm

The TeamPCP campaign that began with the SAP compromise on April 29 returned at scale. Attackers exploited pull_request_target workflow vulnerabilities to hijack @TanStack's CI/CD pipeline and push malicious lifecycle scripts into 42 @TanStack packages across 84 versions. The poisoned @TanStack packages carried valid SLSA provenance — signed by TanStack's own CI pipeline — making them indistinguishable from legitimate releases. From there, the blast radius expanded to include 400+ npm and PyPI package versions across 100+ namespaces — including @mistralai, @uipath, and @squawk. Collectively, these dependencies have 500M+ monthly downloads. The malware silently harvests CI/CD secrets, cloud credentials, and GitHub tokens and includes a deadman's switch that deletes a developer's entire repository if the credential harvester's permissions are revoked. Note: This attack is different than the typosquat/brandsquat attack against TanStack from April 29, 2026.

Install-Time Script

Attack overview

Compromised artifacts

@tanstack/* (42 packages, 84 versions)@uipath/* (66 packages, 66 versions)@squawk/* (22 packages, 110 versions)@mistralai/* (3 packages, 9 versions)@tallyui/* (10 packages, 30 versions)@beproduct/nestjs-auth (18 versions)and 50 more versions across 15+ dependencies

mistralai@2.4.6guardrails-ai@0.10.1

Malicious lifecycle hooks exfiltrated GitHub tokens, npm publish credentials, AWS/Azure/GCP keys, Kubernetes configs, and environment variables from developer machines and CI/CD runners. The malware persists long after the infected package is removed: by writing itself into .claude/settings.json and .vscode/tasks.json, it re-executes every time a developer uses Claude Code or opens VS Code in the affected project directory. npm uninstall does not fix this. The novel deadman's switch makes standard incident response ineffective: rotating compromised credentials — the first thing any security team does — triggers automatic deletion of the developer's entire home directory, turning remediation into a destructive event. This is the first documented npm worm to ship with valid, attacker-generated SLSA provenance. The malicious packages were signed by TanStack's own CI pipeline, meaning cryptographic provenance (a signal defenders rely on to distinguish legitimate packages from tampered ones) provided no protection here. The deliberate targeting of @mistralai, @uipath, and AI tooling broadly signals this campaign's focus on AI development pipelines.

Check developer machines and project roots for gh-token-monitor daemon and remove it before rotating any GitHub tokens as the deadman's switch triggers on revocation.
Audit .claude/ and .vscode/ directories for router_runtime.js, setup.mjs, and unfamiliar entries in settings.json or tasks.json. These persist after npm uninstall.
Once persistence is cleared, rotate all credentials: GitHub tokens, npm tokens, AWS/Azure/GCP keys, Kubernetes service account tokens, and Vault tokens.

Chainguard protection

UNAFFECTED Chainguard Artifacts

Python Libraries

JavaScript Libraries

Why Chainguard is safe

Compromised packages in this third Shai-Hulud wave used npm lifecycle scripts to execute credential-stealing payloads during install-time. Currently, Chainguard does not rebuild packages with install-time scripts as they are a prominent attack vector. For customers using the Chainguard Repository cooldown set for at least 24 hours are not impacted, too.

Apr 30, 2026

intercom-client

A compromised GitHub account (nhur) triggered an automated CI publish workflow via a now-deleted branch, pushing v7.0.4 with two malicious files. A preinstall hook downloaded and executed an unverified Bun binary, which ran an 11.7MB obfuscated payload that harvested developer keys and credentials.

Install-Time Script

Apr 29, 2026

An attacker registered the unscoped tanstack package name on npm, brand-squatting the legitimate @TanStack/* packages with hundreds of millions of collective monthly downloads. Four malicious versions were pushed in a 27-minute window, each carrying postinstall scripts that silently collected .env, .env.local, and .env.production files and exfiltrated them to an attacker-controlled Svix ingest endpoint.

Apr 29, 2026

SAP’s Cloud Application Programming Model Libraries

Attackers compromised an SAP contributor's GitHub account and used it to push a modified workflow to a non-main branch, extracting an npm OIDC token to publish malicious versions without provenance. All four packages carried a weaponized preinstall hook that downloaded the Bun runtime and executed an 11MB obfuscated second-stage payload. Stolen data was exfiltrated to public GitHub repos created on the victim's own account with the description "A Mini Shai-Hulud has Appeared."

Install-Time Script

Apr 24, 2026

elementary-data

An attacker exploited a GitHub Actions script injection flaw via a malicious PR comment, hijacking the CI/CD pipeline to forge a signed release. The backdoored v0.23.3 contained a .pth file that stole developer credentials, cloud keys, and API tokens. Live for ~12 hours.

Source code manipulation

Mar 31, 2026

A North Korean threat actor built a social engineering campaign to compromise a maintainer of axios, gaining access to his npm account. Two malicious versions introduced a hidden post-install dependency that dropped a cross-platform RAT on macOS, Windows, and Linux. Live for ~3 hours.

Backdoored package

Mar 27, 2026

TeamPCP used stolen PyPI credentials to publish two malicious versions with no corresponding source on GitHub. A three-stage payload acted as a RAT, exfiltrating credentials disguised within a WAV audio file. Live for ~6 hours.

Backdoored package

Mar 24, 2026

TeamPCP used PyPI credentials stolen via the Trivy breach to publish two backdoored malicious versions. A hidden .pth file auto-executed on Python startup, harvesting SSH keys, cloud credentials, and Kubernetes configs before exfiltrating to an attacker-controlled domain. Live ~40 minutes.

Backdoored package

Mar 20, 2026

Using npm tokens stolen via the Trivy compromise, TeamPCP published malicious versions of 140+ packages with post-install scripts deploying a self-propagating worm. The C2 was built on ICP blockchain, making it resistant to conventional takedowns.

Install-Time Script

Mar 19, 2026

TeamPCP used compromised credentials to force-push 75 of 76 version tags in trivy-action to credential-stealing malware and replaced all tags in setup-trivy. The attack included pushing malicious Trivy Docker images (v0.69.5, v0.69.6). The payload harvested API tokens, cloud credentials, SSH keys, and Kubernetes configs from CI/CD runners.

CI/CD Hijacking

Jan 27, 2026

Attackers used compromised developer accounts to publish trojanized versions of dYdX client libraries on both npm and PyPI. The npm payload stole wallet seed phrases and device fingerprints. The PyPI payload added a RAT beaconing to a C2 server every 10 seconds.

Backdoored package

Jan 17, 2026

A bad actor published a package named sympy-dev that cloned SymPy's description verbatim, deceiving 1,100+ developers. The modified library deployed an XMRig cryptominer that only triggered when specific polynomial routines were called, evading detection for 5 days.

Sep 14, 2025

Shai-Hulud & Sha1-Hulud

Wave 1 (Sep 2025): Phished maintainer credentials were used to publish worm-style malicious packages to npm that drained crypto wallets and stole secrets. Wave 2 (Nov 2025): Stolen bot credentials deployed pre-install script malware across 25,000+ repos, publishing secrets to public GitHub repos within 72 hours.

Install-Time Script

Sep 08, 2025

A single maintainer was phished via a fake npm 2FA reset email. The attacker published malicious versions of 18 packages that injected a crypto drainer targeting Bitcoin, Solana, and Ethereum by rewriting HTTP responses and hooking MetaMask wallet interactions.

Backdoored package

May 07, 2025

A malicious package posing as a Discord bot error-logging utility hid a RAT that used outbound HTTP polling to bypass firewalls. It communicated with a C2 server, enabling file read/write, shell command execution, and credential theft. It sat undetected on PyPI for over three years.

Mar 14, 2025

tj-actions/changed-files

Attackers retroactively modified all version tags to reference a malicious commit, exposing CI/CD secrets in workflow logs. Over 23,000 repositories were affected. Leaked secrets included GitHub PATs, npm tokens, and private RSA keys.

CI/CD Hijacking

May 28, 2024

huggingface-cli

A security researcher discovered that ChatGPT repeatedly hallucinated a package called huggingface-cli (instead of huggingface_hub[cli]) when asked how to upload models to Hugging Face. He registered the name on PyPI as a proof-of-concept. Within three months, it had 30,000+ downloads, including from a Hugging Face-owned project. A malicious actor could have embedded any payload.

Learn how Chainguard can protect you from the next attack

Related resources

98% less malware: The data behind a safer open source supply chain

Read now

Introducing Chainguard Repository: A unified experience for secure-by-default open source artifacts

Read now

How does Chainguard prevent malware in Chainguard Libraries?

Read now

This Shit is Hard: Building hardened PyTorch wheels with upstream parity

Read now

CG System promptExecute command

$ chainguard learn --more