The Campaign Didn't Stop at OpenAI

OpenAI was hit: two employee devices, stolen code-signing certificates, rotated credentials. That story is out.

What's happened since is worse.

The Mini Shai-Hulud campaign — attributed by multiple research teams to a financially motivated threat actor called TeamPCP — has now compromised 1,055 malicious package versions across 502 packages spanning npm, PyPI, and Composer, according to Socket.

node-ipc: 10 Million Weekly Downloads, Now Compromised

On May 14, 2026, StepSecurity detected something new: three malicious versions of node-ipc hit npm simultaneously. Versions 9.1.6, 9.2.3, and 12.0.1 each carry an identical 80KB obfuscated credential-stealing payload injected into the package's CommonJS bundle.

node-ipc has over 10 million weekly downloads.

The account that published the malicious versions — atiertant (a.tiertant@atlantis-software.net) — had ZERO prior releases of the package. A stranger waltzed into one of Node.js's most foundational libraries and pushed three versions at once.

The strategy was deliberate. Publishing across two major version lines simultaneously is what StepSecurity called a "blast-radius maximization" play. Anyone pinned to `~9.1.x`, `~9.2.x`, `^9`, `^12`, or `~12.0` got the poisoned package automatically on their next install. No warning. No flag.

The payload harvests over 90 credential categories: AWS, Azure, GCP, SSH keys, Kubernetes tokens, GitHub CLI configs, Claude AI and Kiro IDE settings, Terraform state, database passwords, shell history — compresses it all into a gzip archive and ships it to an attacker-controlled server disguised as Azure infrastructure.

The AntV Ecosystem Got Gutted

On May 19 at 01:39 UTC, Endor Labs caught the initial wave hitting npm. Two dormant packages — jest-canvas-mock and size-sensor — suddenly published new versions after three years of silence.

By 02:06 UTC — 27 minutes later — the worm had spread across the entire @antv data visualization ecosystem. According to Socket, the attacker published 639 malicious versions across 323 unique packages, including 558 versions of @antv packages alone. The list includes @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, and echarts-for-react, which carries roughly 1.1 million weekly downloads according to Socket.

The stealer payload targets more than 20 credential types and attempts Docker container escape via the host socket. After collection, data is serialized, compressed, encrypted, and exfiltrated to `t.m-kosche[.]com:443` and `filev2.getsession[.]org/file/` via the Session P2P network.

The fallback mechanism uses stolen GitHub tokens to create public repositories under the victim's own account and commits the stolen data as a JSON file. The repository description? "niagA oG eW ereH :duluH-iahS" — which reversed reads: "Shai-Hulud: Here We Go Again."

As of reporting, The Hacker News documented more than 2,500 GitHub repositories containing that marker.

The Nx Console Attack: 6,000 Infections in 40 Minutes

One day before the npm wave, StepSecurity documented an attack on the Nx Console VS Code extension — over 2.2 million lifetime installs. Version 18.95.0 was published using stolen credentials on May 18 and stayed live for under 40 minutes.

In that window, Nx internal telemetry showed approximately 6,000 activations. Compared to just 28 official downloads. The other 5,972 came from auto-update.

The payload specifically harvested Claude Code configuration files, AWS keys, GitHub tokens, npm tokens, 1Password vault contents, and Kubernetes service account tokens, according to StepSecurity.

Sigstore Verified the Crime

On May 19, 633 malicious npm package versions passed Sigstore provenance verification, according to VentureBeat. The system confirmed the packages were built in a CI environment, issued valid certificates, and logged everything in the transparency record.

Signore verified the process. It cannot verify whether the human holding the credentials authorized the publish. The attacker used stolen credentials to generate legitimate signing certificates. The security system saw valid paperwork and waved the truck through.

VentureBeat reported that StepSecurity confirmed the Mini Shai-Hulud payload contained full Sigstore integration — meaning attackers could sign and publish downstream npm packages that carried valid provenance attestations.

Seven Attack Surfaces, 48 Hours

Research teams from Endor Labs, Socket, StepSecurity, Adversa AI, Johns Hopkins, Microsoft MSRC, and LayerX have each independently documented failures — and no single vendor framework covers all of them.

According to VentureBeat, seven distinct attack surfaces failed between May 18 and May 19 alone: npm provenance forgery, VS Code extension credential theft, MCP server auto-execution, CI/CD agent prompt injection, agent framework code execution, IDE credential storage exposure, and more.

What This Means for You

If your organization uses auto-updating dependencies, runs npm installs without pinned lockfiles, or relies on VS Code extensions — you face substantial exposure.

StepSecurity's guidance is blunt: if you installed any of the compromised node-ipc versions, assume every secret accessible in that environment is already gone.

The node-ipc package was previously involved in the 2022 peacenotwar incident, where its author deployed a geopolitically motivated file-destruction payload. This attack involves different actors and a different payload. Same package. Same trust. Different catastrophe.

The open-source ecosystem built the internet. TeamPCP just demonstrated they can navigate it with a stolen badge and valid paperwork. Until the industry fixes the credential layer — not just the signing layer — every package manager remains a potential liability.