critical • SecOpsAI intelligence

Mini Shai-Hulud crosses npm and PyPI: advisory protection for removed artifacts

Critical Published: 2026-05-12T00:00:00Z Updated: 2026-05-12T00:00:00Z

Supply Chain Advisories Detection Engineering Mitigation

Mini Shai-Hulud crosses npm and PyPI: advisory protection for removed artifacts

Executive Summary

Mini Shai-Hulud is a confirmed software supply-chain campaign affecting npm and PyPI packages. Some compromised versions were removed from public registries quickly, which is good for users but creates a scanner blind spot: artifact diffing can fail after takedown.

SecOpsAI now ships an emergency advisory ingestion path. Named compromised versions can produce high-confidence SOC findings even when the malicious artifact is no longer fetchable.

Affected Artifacts

npm: @opensearch-project/opensearch versions 3.5.3, 3.6.2, 3.7.0, 3.8.0
PyPI: mistralai version 2.4.6
PyPI: guardrails-ai version 0.10.1
npm: @squawk/* representative confirmed versions, including @squawk/mcp@0.9.5 and @squawk/airport-data@0.7.8

What SecOpsAI Detected

Local SecOpsAI findings already identified suspicious behavior in mistralai@2.4.6, including subprocess execution, shell downloader behavior, network egress, artifact divergence, and suspicious code present in only one PyPI artifact path.

What Was Missed Before Advisory Ingestion

Removed npm/PyPI artifacts such as some @opensearch-project/opensearch, guardrails-ai, and @squawk/* versions could previously end as diff generation failed. That error was technically true, but operationally weak: the version was still confirmed compromised by external reporting.

New Protection

Emergency advisories are stored as source-backed JSON under data/advisories/. The scanner checks advisories before allowlist or reputation shortcuts. If a diff succeeds, the advisory enriches the finding. If artifact fetch or diff generation fails, the advisory still creates a malicious high-confidence SOC finding.

IOCs And Behaviors

git-tanstack[.]com/transformers.pyz: reported payload hosting path.
83[.]142[.]209[.]194/transformers.pyz: reported PyPI downloader target.
/tmp/transformers.pyz: Linux payload write path before execution.
setup.mjs and router_init.js: npm lifecycle/staged JavaScript artifacts reported in campaign analysis.
npm preinstall and prepare hooks: install-time execution path for npm packages.
import-time Python execution: PyPI import path used to download and execute a payload.

Detection Logic

secopsai supply-chain advisory check --ecosystem npm --package @opensearch-project/opensearch --version 3.8.0
secopsai supply-chain explain-verdict --ecosystem pypi --package guardrails-ai --version 0.10.1
secopsai supply-chain reconcile-history --include-advisories

Recommended Actions

Block listed versions in package manager policy, dependency proxies, lockfile checks, and CI admission controls.
Purge caches that may contain the affected artifacts.
Search developer machines and CI hosts for /tmp/transformers.pyz and outbound traffic to listed IOCs.
Rotate package registry tokens, GitHub tokens, cloud credentials, and OIDC-trusted secrets exposed to affected build contexts.
Rebuild from clean lockfiles after verifying maintainer guidance and known-good versions.

Timeline

2026-05-11: public reporting confirmed Mini Shai-Hulud impact across npm and PyPI.
2026-05-12: SecOpsAI advisory data seeded for confirmed package versions and removed-artifact handling.

References

https://www.ox.security/blog/shai-hulud-here-we-go-again-170-packages-hit-across-npm-pypi/
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
https://docs.secopsai.dev/supply-chain-advisories/

Comments

Comments are moderated before publication. Do not post secrets, tokens, customer data, or exploit payloads.