The ‘Mini Shai Hulud’ campaign of compromised npm packages exposes a structural gap in corporate cybersecurity: technical scanning tools provide inventory, but not situational awareness. Only Cyber Threat Intelligence (CTI) connects external attacker knowledge with internal infrastructure reality — and meets the governance requirements now mandated by NIS-2.
Attackers are no longer targeting firewalls and servers in isolation. The ‘Mini Shai Hulud’ campaign — involving systematically compromised npm packages from widely used ecosystems — illustrates how threat actors have shifted their focus to the software supply chain itself: the code dependencies, cloud services, and automated build processes that underpin modern enterprise operations.
The campaign unfolded in two waves. On May 11, packages from TanStack and a widely deployed Jenkins plugin were compromised. On May 19, a second wave targeted data visualization libraries and developer tooling, including components from AntV, echarts-for-react, and timeago.js. What distinguishes Mini Shai Hulud from earlier supply chain incidents is not its scale alone, but its attack surface: the packages affected are not obscure edge dependencies but foundational components found in web applications, internal portals, dashboards, and management interfaces — precisely the systems through which enterprises conduct digital business today.
The attack does not target end users. It targets the machines and processes through which software is built: developer workstations, CI/CD pipelines, GitHub tokens, npm publishing credentials, and cloud access keys. A single compromised package can yield access to secrets that propagate across multiple downstream environments. By exploiting legitimate publishing mechanisms and trusted build workflows, the campaign generates a chain reaction: one compromised credential leads to the next.
This structural characteristic makes conventional security tooling insufficient on its own. A Software Bill of Materials (SBOM) can document which components are theoretically present. A vulnerability scanner identifies known CVEs. A software composition analysis (SCA) tool inspects dependency trees. None of these instruments, however, answers the decisive operational questions a security team faces mid-campaign: Which packages are currently affected? What infrastructure is the attacker using? Which internal applications depend on these packages? Which remediation steps interrupt actual attack paths first?
This is precisely where Cyber Threat Intelligence must enter the supply chain security discussion — not as a feed of Indicators of Compromise appended to a SIEM, but as a layer that connects external attacker knowledge with the internal technical environment: package inventories, repositories, build pipelines, cloud configurations, secrets management systems, and business criticality classifications.
The practical difference is significant. Without CTI, a security team typically audits npm packages and waits for package maintainers’ advisories. With CTI properly integrated, the same team can determine: the campaign is stealing CI/CD secrets through compromised packages; the affected repositories use these dependencies; certain pipelines have access to production-adjacent cloud environments; credentials must be rotated and builds halted before any further action is taken. That is the difference between a warning that disappears into an inbox and a decision basis that allows a team to prioritize within minutes.
The OpenCTI threat intelligence platform, developed by Filigran, illustrates what structured situational awareness looks like in practice. The Mini Shai Hulud campaign appears not as a single alert but as a correlated intelligence object: both attack waves, the specific malicious packages, the affected ecosystems, the source and reliability assessment, related attack patterns, and affected industry sectors — all linked and contextualized for operational use.
NIS-2 does not leave these capabilities optional. The directive requires organizations operating essential or important services across the EU to implement appropriate risk management measures for network and information systems. Supply chain security, secure development practices, vulnerability handling, incident management, access control, and the assessment of supplier risks are explicitly listed among the required measures. The phrase “appropriate” is not decorative: regulators expect organizations to demonstrate that risks in the digital supply chain are identified, assessed, prioritized, and managed — not merely acknowledged after the fact.
The lesson Mini Shai Hulud carries is not that npm is inherently dangerous. The lesson is structural: supply chain security requires three integrated layers. First, transparency over dependencies, packages, build pipelines, and secrets. Second, technical controls — isolated builds, restrictive token scoping, hardened CI/CD workflows, secret scanning, dependency pinning, and rapid credential rotation. Third, threat intelligence that translates external campaign knowledge into concrete internal priorities.
The third layer remains absent from many organizations. CTI is still frequently treated as an analyst discipline for specialists in SOC or threat intelligence teams, rather than as an operational governance instrument. Mini Shai Hulud demonstrates why that framing is inadequate. An organization that does not manage its software supply chain in a threat-informed manner will not see the attack until it has already become part of the distribution chain. At that point, prevention alone is no longer sufficient.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de