The UK National Cyber Security Centre issued fresh guidance this month urging organizations to audit their software dependencies after a string of attacks exploited trust in popular package registries. Attackers have shifted from isolated compromises to campaigns that turn trusted libraries into vectors for credential theft and autonomous propagation across npm and PyPI.
Recent incidents show the scale. On June 1, 2026, malicious versions hit at least 32 packages under the @redhat-cloud-services npm namespace, with cumulative weekly downloads around 80,000 according to Unit 42 at Palo Alto Networks. The payload, a variant of Mini Shai-Hulud malware, used a compromised Red Hat employee GitHub account to inject code that bypasses review processes. Red Hat confirmed the incident in its security bulletin RHSB-2026-006, noting the attacker pushed malicious commits directly into repositories.
Earlier waves followed the same pattern. In May 2026, TeamPCP compromised TanStack packages through GitHub Actions pipeline abuse, publishing 84 malicious artifacts across 42 packages in minutes before self-propagation expanded the reach to 373 malicious versions spanning 169 npm packages and several on PyPI. Orca Security documented the attack, which stole CI/CD secrets and targeted environments at companies including OpenAI. Microsoft identified a parallel compromise of @antv packages that enabled similar credential harvesting from developer and build systems.
Sonatype’s 2026 State of the Software Supply Chain report quantifies the broader shift. The firm blocked over 454,600 new malicious packages in 2025 alone, pushing the cumulative total past 1.23 million across major registries. More than 99 percent appeared on npm. Self-replicating malware like the original Shai-Hulud worm, first observed in September 2025, marked a turning point by spreading without constant attacker intervention.
Another campaign, TrapDoor, emerged in May 2026 and distributed credential-stealing malware across 34 packages and more than 384 versions on npm, PyPI, and Crates.io. Socket Security tracked the effort, which targeted developers working with cryptocurrency, AI tools, and cloud infrastructure. The malware harvested SSH keys, cloud credentials, and wallet data while establishing persistence.
These attacks exploit automation that DevSecOps teams rely on daily. CI/CD pipelines pull dependencies on every build. A single tainted package can exfiltrate tokens from runner memory, publish new malicious versions under stolen maintainer accounts, and infect downstream projects. NCSC guidance stresses reviewing recent package updates, identifying unexpected dependencies, and maintaining an inventory such as a software bill of materials.
Provenance checks offer partial protection, yet attackers have adapted. In the TanStack case, malicious releases carried valid npm attestations because they originated from compromised but legitimate GitHub Actions runners using OIDC tokens. Static scanners miss multi-stage payloads that hide in postinstall scripts or use steganography, as seen in earlier 2026 incidents involving LiteLLM and Telnyx packages.
Fragmented tooling compounds the problem. Many teams scan for known CVEs but lack visibility into account takeovers or worm behavior. RapidFort noted four major supply chain attacks in the first quarter of 2026 alone, hitting widely downloaded tools used in container scanning, AI inference, and HTTP clients.
GitGuardian observed three simultaneous campaigns in April 2026 targeting secrets across npm, PyPI, and Docker Hub. The common thread remains credential theft from developer workstations and pipelines, followed by attempts to expand access.
NCSC recommends enforcing stricter controls on package publishing and pipeline permissions. Organizations should audit developer and registry accounts for unauthorized activity. Reducing dependency complexity where possible limits the attack surface. Dependency scanning tools help detect known compromised packages, but teams must also monitor for behavioral anomalies such as unexpected network calls during installs.
Industry reports indicate the pace has accelerated. Phoenix Security tracked 59 campaigns and 657 malicious package indicators from mid-2024 through June 2026, with npm accounting for nearly 80 percent. State-linked actors have moved beyond simple droppers toward multi-stage chains that combine theft with persistence mechanisms.
Developers at affected organizations, including OpenAI, responded by rotating credentials and reviewing build logs after the TanStack incident. No user data or production systems were compromised in that case, but the episode highlighted how quickly trust in a single namespace can cascade.
Red Hat packages hit in June carried a 4.2 MB obfuscated JavaScript payload executed via preinstall hooks. The malware scrapes environment variables and file paths for secrets before exfiltrating them. Similar techniques appeared in prior Mini Shai-Hulud waves.
Fragment. Short sentences drive the point home. Long ones reveal the mechanics. Attackers now treat open source registries as distribution networks. Self-propagation removes the need for repeated human intervention after initial foothold.
Teams that treat dependencies as static components face repeated surprises. Continuous monitoring of package metadata, maintainer activity, and runtime behavior becomes necessary. NCSC points to provenance verification combined with least-privilege pipeline configurations as practical steps.
Recent coverage from The Hacker News on TrapDoor and Unit 42 on the Red Hat compromise shows the same actors iterating on proven tradecraft. Open-sourcing elements of Mini Shai-Hulud malware in May allowed faster variant development, as noted in multiple analyses.
Supply chain risk now sits at the center of software delivery. Organizations that maintain detailed inventories and enforce checks on every update reduce exposure. Those that do not risk becoming the next vector in an expanding chain of compromises.
WebProNews is an iEntry Publication