Shai-Hulud Malware Infects NPM/PyPI Packages, Threatens Crypto Wallets

Shai-Hulud: the supply‑chain malware that’s worming its way into developer pipelines—and into crypto wallets A stealthy malware campaign dubbed “Shai‑Hulud” is exploiting the automated toolchains developers depend on to build and ship software, and its reach is alarming. Researchers have tied roughly 320 malicious package entries across the Node Package Manager (NPM) and PyPI repositories to the campaign—packages that together account for more than 518 million monthly downloads. For crypto projects and any teams that rely on these ecosystems, the implications are stark: attacker access to developer tooling can quickly turn into theft of cloud credentials and crypto wallets. How the infection spreads Shai‑Hulud doesn’t attack end users directly. Instead it compromises trusted packages and build pipelines so that malware gets pulled into downstream projects automatically during normal development and release processes. Because the malicious code often comes from legitimate package registries, carries valid signatures, and passes routine checks, it can blend in—making detection difficult until damage is done. Why this matters “Modern software is built by running other people’s code,” Jeff Williams, CTO of Contrast Security, told Decrypt. “Developers do not merely ‘download’ libraries. They install them, build with them, test with them, deploy with them, and eventually execute them. And if you run a malicious library, it can do almost anything you can do.” He warned that AI advances make the problem worse, likening the effect to “making a computer a double‑agent.” Real incidents and fallout - In early May, Microsoft Threat Intelligence disclosed attackers had inserted malicious code into a Mistral AI package on PyPI. The malware also fetched a file designed to look like Hugging Face’s Transformers library so it would blend into ML environments. Mistral later said an affected developer device was involved but saw no evidence its own infrastructure was compromised. - Two days later OpenAI confirmed two employee devices were infected by Shai‑Hulud‑linked malware, which briefly gave attackers access to a limited number of internal code repositories. The company reported no evidence that customer data, production systems, or intellectual property were compromised. - The campaign attracted broader attention after a May 11 attack on TanStack, a widely used open‑source JavaScript framework that powers many web and cloud apps. Scope and actors Researchers traced earlier variants of Shai‑Hulud back to September 2025 and linked them to cybercriminals operating under the handle TeamPCP. The criminal group later claimed to have stolen roughly 4,000 private GitHub repositories and offered the data for sale—GitHub says it is investigating unauthorized access to internal repos. Meanwhile, security firm OX Security reported copycat packages already circulating that steal cloud and crypto wallet credentials, SSH keys, and environment variables, and some variants also try to recruit infected machines into DDoS botnets. Technical notes and attribution clues OX Security noted that some new samples are nearly identical to a leaked Shai‑Hulud source without obfuscation, suggesting different actors are repackaging the code rather than developing new variants. That kind of reuse accelerates spread: compromise of a small or obscure package provides an attacker with a conduit into every downstream project that trusts it, allowing token theft, malicious publishing, and repeated rounds of poisoning. Why crypto projects should pay attention For blockchain and crypto teams, the attack surface includes developer machines, CI/CD, package registries, and automated publishing systems—areas that attackers are increasingly targeting because they provide high leverage. When wallet credentials, environment variables, or cloud API keys are exposed via a compromised dependency or build cache, attackers can move from developer environments into production systems and financial assets. Practical defenses Experts emphasize that the software supply chain is no longer a simple chain but a propagation network, and defenses must reflect that. Recommended mitigations include: - Tighter dependency controls and strict version pinning. - Stronger publishing safeguards and signed, verified releases. - Least‑privilege credentials for CI/CD and rotating tokens regularly. - Isolated build environments and immutable build caches. - Automated scanning for dependency tampering and threat intelligence feeds to catch malicious packages early. “Shai‑Hulud is a reminder that the attack surface extends well beyond traditional application layers and into the open‑source packages that power modern development and deployment workflows,” Joris Van De Vis, Director of Security Research at SecurityBridge, told Decrypt. For crypto builders, that means protecting the developer pipeline is as important as securing smart contracts and wallets—because a poisoned build can be the fastest route to compromised funds. Bottom line: attackers are weaponizing trusted infrastructure. Projects that rely on public packages, automated CI/CD, and shared build caches must adopt stricter controls and rapid detection to keep code—and crypto—safe.