Shai-Hulud Supply-Chain Attack Compromises Hundreds of npm and PyPI Packages with Credential-Stealing Malware

A supply-chain attack campaign named Shai-Hulud has compromised hundreds of packages across npm and PyPI repositories, distributing credential-stealing malware targeting developers. The attackers signed malicious packages impersonating legitimate libraries, including those mimicking TanStack and Mistral, to evade detection. The campaign specifically exploits open-source package ecosystems to deploy malware capable of harvesting sensitive credentials. No specific dates, CVE IDs, or exact numbers of affected packages were disclosed in the report. The primary impact involves unauthorized access to developer credentials and potential downstream compromise of dependent systems.