Malware Security Bloggers Network 
SBN

New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages

by Sonatype Security Research Team on June 4, 2026
Image with text "281 malicious package versions, Miasma Returns"

TL;DR

  • Sonatype Security Research is tracking a new Shai-Hulud Miasma wave with 281 malicious npm package versions that move beyond obvious preinstall and postinstall scripts in package.json.

  • This variant abuses binding.gyp to trigger execution through node-gyp during npm install and can collect developer and CI/CD data, steals credentials, validates access, and self-propagate.

  • Organizations that installed affected versions should treat impacted environments as potentially compromised, rotate credentials, verify package artifacts, and investigate follow-on activity.

Shai-Hulud has re-emerged in a campaign with 281 malicious package versions across the npm ecosystem. This latest wave is part of the campaign dubbed “Miasma: The Spreading Blight” and abuses trust in open source packages to spread through software supply chains.

What makes this wave notable is the change in execution method. Instead of relying only on obvious preinstall or postinstall scripts in package.json, this variant abuses binding.gyp, a file normally used by packages with native Node.js add-ons. The campaign collects data and credentials before, if permissions allow, publishing new malicious versions of legitimate packages.

Organizations that installed affected versions should treat impacted environments as potentially compromised. Removing the package is recommended, but may not be enough if credentials were exposed or follow-on activity occurred.

We are tracking this campaign through Sonatype Guide under sonatype-2026-003581.

What Happened

The Shai-Hulud campaign has resurfaced with a new Miasma wave affecting npm packages modified to include malicious install-time behavior.

Once executed, the malware is designed to:

  • Collect system, user, developer configuration, and CI/CD environment data.

  • Search for GitHub access tokens, package registry authentication tokens, and cloud-related secrets.

  • Validate stolen credentials and enumerate accessible repositories, services, and permission levels.

  • Use stolen maintainer credentials to create and publish malicious package artifacts.

That publishing capability allows attackers to push new malicious versions of legitimate packages (Read more...)

*** This is a Security Bloggers Network syndicated blog from 2024 Sonatype Blog authored by Sonatype Security Research Team. Read the original post at: https://www.sonatype.com/blog/new-shai-hulud-miasma-wave-hits-hundreds-of-npm-packages

Sonatype Security Research Team 0 Comments , , , , , ,