The attacks, noticed by several vendors using automated security tools, happened on May 11, spreading rapidly through package ecosystems thanks to the worm capabilities of the automated Mini Shai-Hulud malware platform, analysis found.
The exact number of package versions caught up in the attack varies depending on the source; according to Aikido Security it was 373 across 169 package namespaces, while SafeDep said the number was 404 package versions across 170 npm packages, with two affecting PyPI.
Dead man’s switch
A striking feature of the attacks is the ease with which the threat group blamed for the attack, TeamPCP, was able to hijack the project’s legitimate release pipelines by exploiting a mixture of maintainer misconfigurations and GitHub Actions weaknesses.
Instead of stealing maintainer credentials directly, the attackers exploited a risky trigger, pull_request_target. This allows third-party workflows to run automatically — a way of avoiding maintainer approval fatigue — but means that the maintainer’s short-lived OIDC tokens become vulnerable to scraping.