The attacks are part of a wider campaign known as Mini Shai-Hulud, which has already compromised several open source projects and, in turn, developers and companies that use them.
In Brief Posted: 8:32 AM PDT · May 19, 2026 Image Credits: fotograzia / Getty Images Lorenzo Franceschi-Bicchierai Hackers have compromised dozens of popular open source packages in an ongoing supply chain attack Hackers have compromised several popular open source projects relied on by software developers all over the world in an ongoing cyberattack.
On Tuesday, cybersecurity firms StepSecurity and SafeDep warned of the latest wave of so-called “supply chain” attacks, which aim to compromise developers of popular open source projects and use that access to plant malicious updates that are pushed to users downstream.
According to SafeDep, hackers took over the account of one developer and released over 630 malicious versions across 317 packages in about 20 minutes. The goal of the attack is to steal credentials for various services, including password managers, as a way to steal data and continue spreading the malware.
Among the packages that the hackers compromised there’s Antv, a library made by Alibaba. In some cases, the hackers published malicious updates on GitHub, according to JFrog Security .
This latest wave of attacks is part of a wider campaign targeting open source projects and the developers who use the code for their own projects. Researchers have dubbed the hacks “Mini Shai-Hulud,” after the attack followed a previous, more expansive hacking campaign.
Last week, in another wave of attacks as part of the Mini Shai-Hulud attacks, hackers compromised the computers of two OpenAI employees after hacking the open source library TanStack. OpenAI was just one of several victims.
Topics cybersecurity , Mini Shai-Hulud , open source , Security , supply chain attack , supply chain security May 27 Athens, Greece StrictlyVC Athens is up next. Hear unfiltered insights straight from Europe’s tech leaders and connect with the people shaping what’s ahead. Lock in your spot before it’s gone.
REGISTER NOW Newsletters See More Subscribe for the industry’s biggest tech news Related Security US cyber agency CISA exposed reams of passwords and cloud keys to the open web Zack Whittaker 26 minutes ago Apps Apple announces Apple Intelligence powered accessibility feature updates Ivan Mehta 2 hours ago Apps ‘Survivor’ stars Kyle Fraser and Kamilla Karthigesu introduce a goal-tracking app, Paprclip Sarah Perez 2 hours ago Latest in Security In Brief Hackers have compromised dozens of popular open source packages in an ongoing supply chain attack Lorenzo Franceschi-Bicchierai 24 seconds ago Security US cyber agency CISA exposed reams of passwords and cloud keys to the open web Zack Whittaker 26 minutes ago Security NYC Health + Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people Zack Whittaker 23 hours ago
