← Latest news 
Shai-Hulud worm turns npm and PyPI installs into credential theft and persistence even after uninstall
India
Published on 12 May 2026
Provenance looked real but the publish scope wasn’t
A new Shai-Hulud campaign poisoned 172 npm and PyPI packages, including validly SLSA Level 3 provenance. Install or even import can trigger credential harvesting, persistence in Claude Code and VS Code, and CI runner memory scraping. Revoke tokens too soon and a destructive daemon may wipe a home directory. A six-gap CI/CD audit is urged, especially for OIDC scope and AI agent configs.
- 172 npm and PyPI packages were poisoned since May 11 with real-looking SLSA provenance
- The worm persists in .claude and .vscode hooks, surviving package removal and reboots
- On CI, it reads runner memory via /proc/pid/mem to extract secrets, including masked ones
- Revoking tokens before isolating machines can trigger rm-wipe behavior
Read the full story at Venture Beat
This summarization was done by Beige for a story published on 
Venture Beat