Scoopfeeds — Intelligent news, curated.
Protect your enterprise now from the Shai-Hulud worm and npm vulnerability in 6 actionable steps
ai

Protect your enterprise now from the Shai-Hulud worm and npm vulnerability in 6 actionable steps

VentureBeat AI · May 12, 2026, 6:49 PM

Why this matters: a development in AI with implications for how people work, create, and decide.

Any development environment that installed or imported one of the 172 compromised npm or Py PI packages published since May 11 should be treated as potentially compromised. On affected developer workstations, the worm harvests credentials from over 100 file paths: AWS keys, SSH private keys, npm tokens, Git Hub PATs, Hashi Corp Vault tokens, Kubernetes service accounts, Docker configs, shell history, and cryptocurrency wallets. For the first time in a Team PCP campaign, it targets password managers including 1Password and Bitwarden, according to SecurityWeek. It steals Claude and Kiro AI agent configurations, including MCP server auth tokens for every external service an agent connects to. And it does not leave when the package is removed.The worm installs persistence in Claude Code (.claude/settings.json) and VS Code (.vscode/tasks.json with runOn: folderOpen) that re-execute every project open, plus a system daemon (macOS LaunchAgent / Linux systemd) that survives reboots. These live in the project tree, not in node_modules. Uninstalling the package does not remove them. On CI runners, the worm reads runner process memory directly via /proc/pid/mem to extract secrets, including masked ones, on Linux-based runners. If you revoke tokens before isolating the machine, Wiz’s analysis found a destructive daemon wipes your home directory.Between 19:20 and 19:26 UTC on May 11, the Mini Shai-Hulud worm published 84 malicious versions across 42 @tanstack/* npm packages. Within 48 hours the campaign expanded to 172 packages across 403 malicious versions spanning npm and PyPI, according to Mend’s tracking. @tanstack/react-router alone receives 12.7 million weekly downloads. CVE-2026-45321, CVSS 9.6. OX Security reported 518 million cumulative downloads affected. Every malicious version carried a valid SLSA Build Level 3 provenance attestation. The provenance was real. The packages were poisoned.“TanStack had the right setup on paper: OIDC trusted publishing, signed provenance, 2F

Article preview — originally published by VentureBeat AI. Full story at the source.
Read full story on VentureBeat AI → More top stories

More in ai

Wired
The Audemars Piguet x Swatch Collaboration Is Here for Real
Wired
Iran Is Using Tiny ‘Mosquito’ Boats to Shut Down the Strait of Hormuz
VentureBeat AI
Perceptron Mk1 shocks with highly performant video analysis AI model 80-90% cheaper than Anthropic, OpenAI & Google
TechCrunch AI
Musk mulled handing OpenAI to his children, Altman testifies
TechCrunch AI
Anthropic warns investors against secondary platforms offering access to its shares

Browse all ai coverage →

Aggregated and edited by the Scoop newsroom. We surface news from VentureBeat AI alongside other reporting so you can compare coverage in one place. Editorial policy · Corrections · About Scoop