Mass Supply-Chain Attack Slams npm and PyPi, Hits Mistral AI

Latest Mini Shai-Hulud Worm Steals Credentials, Includes Wiper, Now Open Source Mathew J. Schwartz (euroinfosec) • May 13, 2026

Hackers behind a spate of supply-chain attacks targeting JavaScript and Python software repositories released an open-source version of their malware, paving the way for more automated worms carrying infections downstream.

See Also: AI Impersonation Is the New Arms Race-Is Your Workforce Ready?

Experts have urged security and development teams to introduce time-based delays or "code cooldowns" before incorporating updated packages from public repositories, to give defenders a chance to take down corrupted code before it's sucked into applications across the internet (see: Flurry of Supply-Chain Software Library Attacks).

A malware variant called "Shai-Hulud: Here We Go Again" began infecting on Monday what's now more than 170 different packages that collectively count nearly 180 million weekly downloads, said Ox Security. JavaScript packages hosted by npm and Python packages hosted ...