npm Invalidates Granular Access Tokens as Mini Shai-Hulud Sweeps the Registry

Summary

npm invalidated granular access tokens with write access that bypass 2FA after the Mini Shai-Hulud campaign compromised hundreds of packages. The attackers used hijacked maintainer accounts to publish malicious package versions. npm is urging maintainers to adopt OIDC Trusted Publishing and Staged Publishing to reduce reliance on long-lived secrets.

Full text

Research/Security NewsMalicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and PasswordsA malicious NuGet package impersonating Sicoob exfiltrated client IDs, PFX passwords, and banking certificates through Sentry telemetry. By Kirill Boychenko - May 28, 2026

Entities