npm has revoked every granular access token with write access that bypassed two-factor authentication a platform-wide credential reset that rolled out on May 19, 2026, announced via the registry’s long-dormant X account.
The move targets credentials already harvested by the active Mini Shai-Hulud malware campaign, which has torn through the JavaScript, Python, and PHP ecosystems for over three weeks.
The immediate trigger was a May 18 attack in which threat actors seized the npm maintainer account atool and published 639 malicious package versions across 323 unique packages in a single automated burst.
The wave hit the @antv data-visualization ecosystem, along with widely used packages including echarts-for-react (~1.1M weekly downloads), timeago.js, size-sensor, and canvas-nest.js.
Security firm Socket attributes the campaign to TeamPCP and has tracked 1,055 compromised package versions across 502 unique packages spanning npm, PyPI, and Composer. Prior waves include:
- May 11 — Compromise of 42 TanStack packages (84 malicious versions), including @tanstack/react-router with 12M weekly downloads
- April 23 — Bitwarden CLI shipped a credential-stealing payload after attackers compromised the project’s
publish-ci.ymlworkflow directly - Targets have included Checkmarx KICS/AST, Aqua Trivy, SAP CAP, Intercom, Mistral AI, and UiPath
The TanStack breach exploited a chained attack vector: a pull_request_target “Pwn Request” abuse, GitHub Actions cache poisoning, and OIDC token extraction directly from runner process memory requiring no long-lived bypass-2FA token.
Days later, GitHub confirmed attackers exfiltrated roughly 3,800 internal repositories, tracing entry to a poisoned Nx Console VSCode extension (v18.95.0) that sat on the Visual Studio Marketplace for 18 minutes before takedown.
The bypass-2FA option exists by design to allow CI/CD workflows to publish without interactive prompts. Mini Shai-Hulud was purpose-built to exploit this scanning developer machines and CI environments for stored npm credentials and using stolen tokens to republish poisoned versions of every package the victim maintains.
Burning every bypass-2FA token cuts off credentials the worm has already collected. It does not neutralize the worm itself, which remains active.
More critically, the reset leaves the campaign’s most damaging attack vectors entirely untouched neither the TanStack OIDC token extraction nor the Bitwarden CI/CD workflow compromise required a long-lived bypass-2FA token.
npm’s recommendation to migrate to OIDC Trusted Publishing carries similar caveats. TanStack’s attackers authenticated malicious publishers through the project’s own legitimate OIDC trusted-publisher binding, minting publish tokens from the workflow’s id-token permission.
Wes Todd of the OpenJS Foundation previously warned that “gaps in design and implementation with OIDC Trusted Publisher workflows leave maintainers open to novel and increasingly difficult to detect gaps.”
npm’s more significant countermeasure arrived alongside the token reset with far less fanfare. Staged publishing entered public preview on May 20 when GitHub merged the npm stage command into npm CLI v11.15.0.
Under the new model, CI workflow publishes can route through a staging area instead of going directly to the public registry. A maintainer approves the release via an MFA-verified step using the CLI or npmjs.com before the version becomes installable putting a human review gate between a compromised credential and a live malicious package.
Key implementation details:
- New
npm stage publishcommand routes releases to a staging queue - Approval subcommands (
npm stage list,npm stage view,npm stage approve,npm stage reject) require interactive MFA and cannot be performed by OIDC tokens - Feature is opt-in and must be configured per package
- npm creator Isaac Schlueter has called on GitHub, npm, and Microsoft to disable non-MFA publishing entirely by default
Recommendations
Maintainers whose CI/CD pipelines broke after the May 19 reset should take the following actions:
- Generate new granular access tokens and update all stored secrets immediately
- Rotate every credential within reach of any affected environment the worm harvests GitHub tokens, AWS/GCP/Azure credentials, SSH keys, Kubernetes tokens, Vault tokens, Stripe keys, and AI tool config files including
.claude/settings.json - Evaluate enabling staged publishing on high-impact packages
- Apply the
minimumReleaseAgesetting to avoid freshly poisoned versions; pnpm 11 now defaults to a one-day release-age window, with equivalent controls available in npm, Yarn, and Bun
The token reset addresses credentials the worm has already collected. Staged publishing addresses the publishing path itself but on an opt-in basis. How quickly maintainers configure the new approval step across high-impact namespaces will determine the actual coverage before the next campaign wave lands.
No Comment! Be the first one.