HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Typosquatted npm Packages Harvest Cloud and CI/CD Secrets in Mini Shai‑Hulud Campaign

The Mini Shai‑Hulud group has deployed look‑alike npm packages that, when installed, exfiltrate cloud API keys and CI/CD tokens. The threat targets developers across multiple industries, expanding supply‑chain risk for any organization that relies on third‑party JavaScript libraries.

LiveThreat™ Intelligence · 📅 May 29, 2026· 📰 microsoft.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
microsoft.com

Typosquatted npm Packages Harvest Cloud and CI/CD Secrets in Mini Shai‑Hulud Campaign

What Happened — The Mini Shai‑Hulud threat group published malicious npm packages that closely mimic legitimate libraries. When developers inadvertently install these look‑alike packages, the embedded code silently exfiltrates cloud API keys, CI/CD tokens, and other privileged secrets. The campaign has been observed targeting a broad set of cloud platforms and CI/CD services across multiple sectors.

Why It Matters for TPRM

  • Supply‑chain attacks bypass traditional perimeter defenses and compromise third‑party code repositories.
  • Stolen cloud credentials enable lateral movement, data exfiltration, and ransomware deployment in downstream vendors.
  • The ubiquity of open‑source package managers expands the attack surface for any organization that outsources development or relies on third‑party libraries.

Who Is Affected — SaaS developers, cloud‑native enterprises, CI/CD service providers, and any organization that consumes npm packages (technology, finance, healthcare, etc.).

Recommended Actions — Enforce strict package‑name validation, enable npm provenance/signature verification, rotate and limit cloud/CI‑CD secrets, monitor npm registry for look‑alike packages, and audit third‑party code for suspicious behavior.

Technical Notes — Attack vector: typosquatted npm packages (third‑party dependency). No specific CVE; the malicious code harvests AWS, Azure, GCP keys and CI/CD tokens (GitHub Actions, GitLab CI). Data types: cloud API keys, service‑account credentials, CI/CD tokens. Source: Microsoft Security Blog

📰 Original Source
https://www.microsoft.com/en-us/security/blog/2026/05/28/typosquatted-npm-packages-used-steal-cloud-ci-cd-secrets/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →