What happened
SecurityWeek reported June 9, 2026 that new Shai-Hulud variants (Miasma, targeting npm since June 1–3, and Hades/Mini Shai-Hulud, targeting PyPI) have now compromised over 100 packages across both ecosystems. GitHub disabled 73 Microsoft repositories (Azure, Azure-Samples, MicrosoftDocs, Microsoft orgs) on June 5 after Miasma re-compromised Azure's durabletask project. The PyPI Hades variant independently compromised 37 malicious wheel files across 19 packages. Confirmed AI-relevant compromised packages include the mistralai Python SDK and guardrails-ai. The campaign uses a destructive self-destruct/wipe routine triggered by npm token revocation, effectively acting as ransomware against maintainers who attempt remediation.
Why it matters
This is a direct attack on the AI developer supply chain: AI SDK packages (mistralai, guardrails-ai) were compromised, AI tool credentials are specifically targeted, and the novel persistence mechanism exploits the trust model of AI coding agents (Claude Code SessionStart hooks) to survive standard remediation. Stolen credentials include AWS, GCP, Azure, GitHub, npm, Kubernetes, Vault tokens, and AI service API keys. The worm's use of valid SLSA Build Level 3 provenance makes it extremely difficult to detect via standard supply-chain attestation checks.
Attack vector
Self-replicating supply-chain worm uses preinstall/postinstall npm lifecycle hooks (and 'Phantom Gyp' binding.gyp in the Miasma wave) to execute a Bun-based credential stealer on install. The worm scrapes /proc/{pid}/mem to extract all CI/CD secrets, harvests 100+ credential types including AI tool tokens, then republishes poisoned versions of all packages controlled by the compromised maintainer. Persistence is achieved by injecting a SessionStart hook into .claude/settings.json and a folderOpen task into .vscode/tasks.json — these survive package removal because they live in project config, not node_modules.
Affected systems
npm and PyPI packages — confirmed compromised packages include mistralai (2.4.6), guardrails-ai (0.10.1), @tanstack/* (84 malicious versions across 42 packages), @redhat-cloud-services (32 packages, 96 versions), @vapi-ai/server-sdk, and others; persistence in Claude Code ~/.claude/settings.json hooks and VS Code .vscode/tasks.json on developer machines
Mitigation
Audit all npm/PyPI dependencies for compromised versions; rotate all secrets present in any affected CI/CD workflow; audit .claude/ and .vscode/tasks.json in all cloned repositories before opening in any AI coding agent; consider all mistralai 2.4.6 and guardrails-ai 0.10.1 installations compromised; check for 'IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner' npm token descriptions; review StepSecurity, Snyk, and Sonatype advisories for full IOC lists.