Shai-Hulud: Another Wave and Going Open Source

Shai-Hulud, a sophisticated malware campaign, has evolved through multiple waves, targeting npm and PyPI packages with increasing complexity and reach, affecting millions of downloads. The campaign employs various techniques, such as preinstall and postinstall hooks, Git dependency prepare scripts, and OIDC token exploitation, to steal credentials and infiltrate systems, notably using a newly introduced prepare script trick to silently execute malicious payloads. In May 2026, the threat significantly escalated when TeamPCP published the full Shai-Hulud source code on GitHub, making it accessible to a broader audience and enabling potential copycat attacks. This development has shifted the threat model from a single actor to a framework that can be customized and deployed by anyone with basic coding skills. Traditional detection methods focusing on specific malware signatures are becoming less effective due to the variability in payloads and execution methods, prompting a need for behavioral detection strategies that identify abnormal usage patterns of stolen credentials. These advanced detection techniques, which monitor deviations from established behavioral baselines, offer a future-proof solution against evolving threats by focusing on the misuse of credentials rather than the specific malware used to obtain them.