Critical • SecOpsAI intelligence

Mini Shai-Hulud crosses npm and PyPI: advisory protection for removed artifacts

Mini Shai-Hulud affected npm and PyPI packages, including removed artifacts that now receive source-backed SecOpsAI advisory detections.

Mini Shai-Hulud crosses npm and PyPI: advisory protection for removed artifacts

Executive Summary

Mini Shai-Hulud is a confirmed software supply-chain campaign affecting npm and PyPI packages. Some compromised versions were removed from public registries quickly, which is good for users but creates a scanner blind spot: artifact diffing can fail after takedown.

SecOpsAI now ships an emergency advisory ingestion path. Named compromised versions can produce high-confidence SOC findings even when the malicious artifact is no longer fetchable.

Affected Artifacts

• npm: @opensearch-project/opensearch versions 3.5.3, 3.6.2, 3.7.0, 3.8.0
• PyPI: mistralai version 2.4.6
• PyPI: guardrails-ai version 0.10.1
• npm: @squawk/* representative confirmed versions, including @squawk/[email protected] and @squawk/[email protected]

What SecOpsAI Detected

Local SecOpsAI findings already identified suspicious behavior in [email protected], including subprocess execution, shell downloader behavior, network egress, artifact divergence, and suspicious code present in only one PyPI artifact path.

What Was Missed Before Advisory Ingestion

Removed npm/PyPI artifacts such as some @opensearch-project/opensearch, guardrails-ai, and @squawk/* versions could previously end as diff generation failed. That error was technically true, but operationally weak: the version was still confirmed compromised by external reporting.

New Protection

Emergency advisories are stored as source-backed JSON under data/advisories/. The scanner checks advisories before allowlist or reputation shortcuts. If a diff succeeds, the advisory enriches the finding. If artifact fetch or diff generation fails, the advisory still creates a malicious high-confidence SOC finding.

IOCs And Behaviors

• git-tanstack[.]com/transformers.pyz: reported payload hosting path.
• 83[.]142[.]209[.]194/transformers.pyz: reported PyPI downloader target.
• /tmp/transformers.pyz: Linux payload write path before execution.
• setup.mjs and router_init.js: npm lifecycle/staged JavaScript artifacts reported in campaign analysis.
• npm preinstall and prepare hooks: install-time execution path for npm packages.
• import-time Python execution: PyPI import path used to download and execute a payload.

Detection Logic

secopsai supply-chain advisory check --ecosystem npm --package @opensearch-project/opensearch --version 3.8.0
secopsai supply-chain explain-verdict --ecosystem pypi --package guardrails-ai --version 0.10.1
secopsai supply-chain reconcile-history --include-advisories

Recommended Actions

• Block listed versions in package manager policy, dependency proxies, lockfile checks, and CI admission controls.
• Purge caches that may contain the affected artifacts.
• Search developer machines and CI hosts for /tmp/transformers.pyz and outbound traffic to listed IOCs.
• Rotate package registry tokens, GitHub tokens, cloud credentials, and OIDC-trusted secrets exposed to affected build contexts.
• Rebuild from clean lockfiles after verifying maintainer guidance and known-good versions.

Timeline

• 2026-05-11: public reporting confirmed Mini Shai-Hulud impact across npm and PyPI.
• 2026-05-12: SecOpsAI advisory data seeded for confirmed package versions and removed-artifact handling.

References

• https://www.ox.security/blog/shai-hulud-here-we-go-again-170-packages-hit-across-npm-pypi/
• https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
• https://docs.secopsai.dev/supply-chain-advisories/