Affected Akamai Hunt customers have already received a detailed mapping of vulnerable assets with actionable segmentation and mitigation recommendations. Executive summary On May 11, 2026, a new wave of the Shai-Hulud supply chain campaign hit the npm ecosystem by publishing malicious versions of packages across the TanStack dependency tree. The attack was performed by hijacking legitimate release workflow through a continuous integration (CI) cache-poisoning attack and npm’s OpenID Connect (OIDC) publishing endpoint. The campaign quickly expanded beyond TanStack to additional npm packages linked to Mistral AI, UiPath, OpenSearch, and others. The next day, new GitHub repositories appeared to be hosting the source code of the malicious Shai-Hulud worm. In this blog post, we analyze the newly released malware, examine how this attack wave differs from earlier waves, and provide mitigation recommendations for maintainers and organizations.…