‘Mini Shai-Hulud’ malware compromises hundreds of open-source packages in sprawling supply-chain attack

A widespread software supply‑chain campaign named “mini Shai‑Hulud” compromised hundreds of open‑source packages (including high‑impact libraries such as TanStack’s React Router), embedding an obfuscated credential‑stealing worm that targets AWS, GCP, Kubernetes, Vault, and local developer secrets. Attackers abused CI/GitHub Actions via orphaned commits to publish malicious, provenance‑signed packages, persisted in developer tooling (e.g., .vscode, Anthropic Claude configs), exfiltrated data over the Session anonymous network, and issued extortion threats; researchers observed limited community spread but removed compromised versions from registries.