Frontline · DevTools · 2026-05-21

Snyk tracks supply chain attack expanding from npm to PyPI, Microsoft's durabletask compromised

The Mini Shai-Hulud campaign has breached six major package ecosystems in three weeks, credential-stealing malware now targeting Python developers through Microsoft-maintained infrastructure packages.

Founded

2015

11 years

Status

Private

Total raised

$1.4B

Headcount

1k-5k

The story

We're tracking the sixth expansion of what Snyk has labeled the "Mini Shai-Hulud" supply chain campaign. The latest disclosure^[1] confirms compromise of Microsoft's `durabletask` PyPI package — a dependency for Durable Functions orchestration in Azure — marking the second time this month the campaign has pivoted ecosystems from npm to PyPI. The attacker published version 1.2.7 containing Bun-based credential-stealing malware targeting AWS, Azure, and GCP service credentials stored in developer environments. Package maintainers yanked the malicious release within hours, but not before 3,400 downloads. What's shifted: Snyk has now published nine separate disclosures in 21 days chronicling Mini Shai-Hulud's expansion across npm (AntV, TanStack, SAP @cap-js, node-ipc), PyPI (elementary-data, lightning, durabletask), and a suspected GitHub Actions OIDC token-extraction technique. The campaign's MO is consistent — compromise maintainer accounts, publish malicious minor/patch versions, exfiltrate cloud credentials to a rotating set of attacker-controlled endpoints — but the breadth is accelerating. The AntV compromise alone touched 323 packages; the TanStack wave hit 84. This isn't a targeted attack on a single supply chain; it's industrial-scale account harvesting across the open-source dependency graph. The read we're settling on: Snyk's disclosure velocity has made it the de facto incident responder for the campaign, surfacing IOCs and connecting dots faster than package registries, CISA, or affected vendors. That's strategically valuable — each writeup reinforces Snyk's position as the early-warning system for supply chain risk — but it also reveals a systemic gap. PyPI and npm still lack mandatory 2FA for maintainers of high-impact packages, GitHub's OIDC token scoping remains permissive enough to enable cross-repo compromise, and the time-to-detection window (hours to days) means thousands of CI/CD pipelines are ingesting malicious code before yanks propagate. Snyk is winning the narrative, but the infrastructure layer isn't hardening fast enough to stop the next wave.

The rest of this story is for subscribers.

Including Our Take, the Tailwinds & headwinds framing, Connections across the FOBI roster, and What should you do.

Founding

50% off

/month

94 of 100 spots left

Full

$10

/month

Available once all 100 Founding Member spots are claimed.

Get full access

Already subscribed? Sign in →

In plain English

Software developers rely on shared code libraries (called packages) to build applications faster. Attackers are hijacking popular packages by stealing maintainer passwords, then uploading malicious versions that silently steal cloud passwords and API keys from every developer who downloads them. Snyk — a security company — has been tracking one attacker who has compromised over 600 packages across six different programming languages in the last three weeks, now including a Microsoft-maintained Python package used in cloud workflows.

Our Take

The real story isn't the compromise — it's that Snyk is now the system of record for supply chain incidents, not the registries or vendors themselves. PyPI's security advisories lag Snyk's blog by 24–48 hours; Microsoft hasn't issued a public statement on the durabletask compromise. That disclosure asymmetry is strategically valuable for Snyk — it trains security teams to treat Snyk's feed as ground truth — but it also means the company is carrying the operational burden of incident response for public infrastructure it doesn't control. If registries mandate provenance and harden auth in response, Snyk's edge shifts from detection to remediation orchestration. If they don't, the alert volume becomes unsustainable.

Takeaways

01Snyk has published nine Mini Shai-Hulud disclosures in 21 days, establishing itself as the campaign's primary chronicler and early-warning system.
02The attacker's pivot from npm to PyPI — now twice in May — signals cross-ecosystem credential harvesting, not single-registry opportunism.
03Microsoft's durabletask compromise demonstrates that even vendor-maintained infrastructure packages remain vulnerable to maintainer account takeover.
04The persistent absence of mandatory 2FA and build provenance in PyPI and npm creates a time-to-detection window measured in hours to days, allowing thousands of CI/CD systems to ingest malicious code.
05Snyk's disclosure velocity is strategically valuable for brand positioning, but alert fatigue becomes a risk if registries don't harden baseline defenses and the campaign continues at this cadence.

What should you do

The asymmetric bet here is that supply chain security moves from "scan and alert" to "real-time registry defense and provenance enforcement." Snyk's disclosure dominance positions it to own the threat-intel layer, but the real moat question is whether it can convert that into enforceable policy hooks — registry-level blocks, CI/CD gates, build provenance verification that stops malicious packages before download. If package registries mandate attestation and 2FA in response to this campaign, the value accrues to whoever owns the signing and verification infrastructure. If they don't, Snyk's alert fatigue risk grows — nine disclosures in three weeks trains developers to ignore the noise. Watch whether GitHub Ships mandatory Sigstore integration for high-impact packages this quarter; that would commoditi…

Strategic-positioning commentary · not investment advice

Failure modes

Alert fatigue — nine disclosures in 21 days trains developers to treat supply chain advisories as background noise, reducing patch urgency and expanding attacker dwell time.
Attribution collapse — if Mini Shai-Hulud is actually multiple actors using shared Bun-based stealer tooling, the campaign's scope is understated and coordinated registry response becomes harder.
Time-to-yank lag — malicious versions remain downloadable for hours after discovery; CI/CD pipelines with aggressive caching ingest compromised packages even after registry removal.
Credential rotation failure — stolen cloud credentials remain valid until developers manually rotate them; most teams lack automated post-compromise key invalidation workflows.

Trajectory

Forward signals

PyPI's PEP 740 attestation rollout — scheduled for Q3 2026 — which would require cryptographic provenance for high-impact packages and render credential-only compromises insufficient for malicious publishes.
GitHub's response to suspected OIDC token-extraction technique; whether they tighten scoping defaults or ship mandatory signing for Actions-based publishes to package registries.
The next ecosystem pivot — whether Mini Shai-Hulud expands to RubyGems, crates.io, or Maven Central, which would confirm cross-language credential harvesting at scale.
Snyk's Q2 2026 product release cycle — whether the disclosure velocity translates into new registry-integration partnerships or enforcement hooks that move beyond scan-and-alert.

Report Notes

1.
CatalystSnyk (official)
snyk.io · 2026-05-19

Cast

Snyk
GitHub — Registry and OIDC token provider
OpenAI — Foundation model enabling detection tooling

Glossary

Mini Shai-Hulud: Snyk's label for a sustained supply chain attack campaign that has compromised 600+ packages across npm and PyPI since late April 2026, using Bun-based credential stealers and suspected GitHub Actions OIDC token extraction.
PyPI: The Python Package Index — the primary registry for sharing and installing Python libraries. Developers download packages via pip; maintainers publish via twine or GitHub Actions.
durabletask: Microsoft's Python SDK for Durable Task Framework orchestration, used in Azure Durable Functions to coordinate long-running serverless workflows with state persistence.
OIDC token extraction: A technique where attackers exploit GitHub Actions' OpenID Connect integration to steal short-lived identity tokens that grant publish access to package registries without needing long-lived secrets.
Sigstore: An open-source project providing keyless code signing and transparency logs for software artifacts, backed by Google, Red Hat, and the Linux Foundation, designed to make provenance verification frictionless.