Tracked campaign · npm

Mini Shai-Hulud (npm)

Compromised GitHub Actions OIDC trusted publisher for npm scoped packages. Injects heavily obfuscated preinstall hooks (ROT-9 → AES-128-GCM → obfuscator.io) to steal developer secrets.

1 packages attributednpm ecosystemosv source

First seen 2025-05-29

Attribution basis

These are the signal classes linking the members of this campaign — the broad evidence categories we use to attribute a package, not the raw indicators themselves.

shared malware fingerprint
OSV advisory cluster

Sample attributed packages

@redhat-cloud-services/rule-components@4.7.2

PkgRadar attributes coordinated supply-chain campaigns and blocks their packages at the CI gate. Start free or see all tracked campaigns.