Blog Home>Mini Shai-Hulud crosses npm and PyPI: advisory protection for removed artifacts

CRITICAL • SecOpsAI Intelligence

Mini Shai-Hulud crosses npm and PyPI: advisory protection for removed artifacts

Mini Shai-Hulud affected npm and PyPI packages, including removed artifacts that now receive source-backed SecOpsAI advisory detections.

Critical By SecOpsAI Threat Research 4 min read Published: 2026-05-12 Updated: 2026-05-12
Supply Chain Advisories Detection Engineering Mitigation

Affected Artifacts

  • npm: @opensearch-project/opensearch versions 3.5.3, 3.6.2, 3.7.0, 3.8.0
  • PyPI: mistralai version 2.4.6
  • PyPI: guardrails-ai version 0.10.1
  • npm: @squawk/* representative confirmed versions, including @squawk/mcp@0.9.5 and @squawk/airport-data@0.7.8

What SecOpsAI Detected

Local SecOpsAI findings already identified suspicious behavior in mistralai@2.4.6, including subprocess execution, shell downloader behavior, network egress, artifact divergence, and suspicious code present in only one PyPI artifact path.

What Was Missed Before Advisory Ingestion

Removed npm/PyPI artifacts such as some @opensearch-project/opensearch, guardrails-ai, and @squawk/* versions could previously end as diff generation failed. That error was technically true, but operationally weak: the version was still confirmed compromised by external reporting.

New Protection

Emergency advisories are stored as source-backed JSON under data/advisories/. The scanner checks advisories before allowlist or reputation shortcuts. If a diff succeeds, the advisory enriches the finding. If artifact fetch or diff generation fails, the advisory still creates a malicious high-confidence SOC finding.

IOCs And Behaviors

  • git-tanstack[.]com/transformers.pyz: reported payload hosting path.
  • 83[.]142[.]209[.]194/transformers.pyz: reported PyPI downloader target.
  • /tmp/transformers.pyz: Linux payload write path before execution.
  • setup.mjs and router_init.js: npm lifecycle/staged JavaScript artifacts reported in campaign analysis.
  • npm preinstall and prepare hooks: install-time execution path for npm packages.
  • import-time Python execution: PyPI import path used to download and execute a payload.

Detection Logic

secopsai supply-chain advisory check --ecosystem npm --package @opensearch-project/opensearch --version 3.8.0
secopsai supply-chain explain-verdict --ecosystem pypi --package guardrails-ai --version 0.10.1
secopsai supply-chain reconcile-history --include-advisories

Recommended Actions

  • Block listed versions in package manager policy, dependency proxies, lockfile checks, and CI admission controls.
  • Purge caches that may contain the affected artifacts.
  • Search developer machines and CI hosts for /tmp/transformers.pyz and outbound traffic to listed IOCs.
  • Rotate package registry tokens, GitHub tokens, cloud credentials, and OIDC-trusted secrets exposed to affected build contexts.
  • Rebuild from clean lockfiles after verifying maintainer guidance and known-good versions.

Timeline

  • 2026-05-11: public reporting confirmed Mini Shai-Hulud impact across npm and PyPI.
  • 2026-05-12: SecOpsAI advisory data seeded for confirmed package versions and removed-artifact handling.

References

Comments

Comments are moderated before publication. Do not post secrets, tokens, customer data, or exploit payloads.