Mini Shai-Hulud
-
GitHub investigates claim of internal repository theft after TeamPCP listing
GitHub said it is investigating unauthorized access to internal repositories after TeamPCP claimed it was selling source code and internal data. The company said it has no evidence of customer impact outside internal repositories.
-
Leaked Shai-Hulud malware resurfaces in npm infostealer campaign
Four malicious npm packages infected with a Shai-Hulud clone were published over the weekend, stealing credentials, secrets and crypto wallet data. One package also added DDoS features, and the combined downloads reached 2,678.
-
PyPI Lightning package hit by credential-stealing malware
Python package Lightning was compromised on PyPI, with two malicious releases published on April 30, 2026. Security researchers said the code targeted developer credentials and could spread through package ecosystems.
