Latest wave of the Shai-Hulud npm worm family. 170+ packages compromised across npm and PyPI, with ~518M cumulative downloads. Victims include TanStack (42 packages, 84 versions), Mistral AI, Guardrails AI, OpenSearch, UiPath. First documented case of a malicious npm package shipping with valid SLSA provenance.
Receipts
Every name fits the chain.
The simulation on the home page is an abstraction of one twelve-step pattern. Below are the real incidents the abstraction is drawn from — named breaches with dates, actors, mechanisms, and sources. Filter by year, threat actor, attack category, or which beat of the chain each one anchors.
18of 18incidents
Year
Category
Threat actor
Chain beat
Canvas LMS (note: Canvas, not Canva) went offline on May 7 during US college finals week. ShinyHunters claimed 3.65 TB of data across 8,809 institutions worldwide — the largest education breach on record. Instructure paid a ransom on May 11.
Official DAEMON Tools installers were trojanized at the source. Part of a 2026 trend of installer-package compromises alongside eScan (Jan), Notepad++ (Feb), and CPUID (April).
PyTorch Lightning compromised on PyPI. Intercom traced its own compromise to a local install of `pyannote-audio`, which pulled the poisoned Lightning as a transitive dependency. A clean illustration of the dependency-graph blast radius: Intercom did not install the malicious package — they installed something that installed something that installed it.
Everest ransomware posted both banks on its dark-web leak site the same day, April 20, 2026. Shared document-production data in the leak pointed to a single third-party vendor as the entry point. Same pattern as the M&S 2025 case — the vendor was the breach.
The textbook case of categories collapsing. A Context.ai employee Googled Roblox cheats in February 2026, got infected with Lumma Stealer, and lost their corporate credentials. The attacker pivoted Context.ai → a Vercel employee's Workspace → Vercel internal systems → customer environment variables. Every category — social engineering, infostealer, AI-tool OAuth, supply chain — in one chain.
Pre-auth SQL injection in the LiteLLM proxy (CVSS 9.3). A DB query used during proxy API-key checks mixed caller-supplied key text directly into the query instead of parameterizing it. First exploitation observed 26 hours after the GitHub advisory was indexed.
$10B AI-data-labeling startup whose customers include Anthropic, OpenAI, and Meta. Breached not directly, but as a downstream victim of the LiteLLM PyPI compromise. Demonstrates how the modern attack's blast radius is the dependency graph, not the target's own perimeter.
Two malicious versions of `axios` (1.14.1 and 0.30.4) — a 70M-weekly-download HTTP client — published via a compromised maintainer account. Live for ~3 hours. The lead maintainer's PC was popped via targeted social engineering + a remote-access trojan, which gave attackers npm publish credentials.
Two malicious versions of `litellm` were live on PyPI for ~40 minutes before quarantine. The maintainer's PyPI credentials were lifted from an earlier compromise of Trivy (an OSS scanner used in LiteLLM's CI). LiteLLM sits inside many AI startups' CI/CD with broad credentials — compromising it is compromising those companies' AI infra.
Also not a Railway compromise — Railway was the launching pad. A Phishing-as-a-Service platform called EvilTokens ran an M365 device-code phishing campaign across 340+ orgs in US/CA/AU/NZ/DE, with auth attempts originating from a narrow block of Railway IPs.
WorldLeaks claimed 1.4 TB of Nike's internal data, including product-development IP and supply-chain logistics. Listed on the WorldLeaks leak site as extortion.
Not a Railway compromise. A React Server Components / Next.js CVE let attackers run a malicious binary inside customer services on Railway running vulnerable Next.js versions. Railway's infrastructure wasn't breached — their customers' apps were, because their customers' framework had a hole.
The first public self-replicating npm worm. Identified by ReversingLabs on September 15, 2025, starting from a compromise of `rxnt-authentication@0.0.3`. ~200 packages affected in the first 24 hours. The worm's `bundle.js` ran as a postinstall hook, stole credentials, and republished itself into the maintainer's other packages.
Cyberattack halted vehicle production across the UK, Slovakia, India, and Brazil for weeks. ~£120M lost profit + £1.7B lost revenue; ~£1.9B ($2.5B) cost to the UK economy. Reported as the most economically damaging cyberattack in British history.
The largest SaaS compromise on record. ShinyHunters compromised Salesloft's GitHub repo in March 2025, ran TruffleHog over the source to find Drift / Drift Email OAuth tokens, then used those tokens to read customer Salesforce orgs at scale. 1.5B records across 760 companies.
Distinct from the April 2026 Vercel breach. Threat actors used Vercel's v0 AI page-builder to spin up convincing fake login pages from a single prompt — text-to-phishing-kit, hosted on the legit Vercel platform. First high-profile case of an AI builder being used *as the attack tool itself* rather than being a target.
UK retailer hit via social engineering targeted at a third-party contractor's employees. Forced manual logistics, halted online shopping, disrupted food distribution. Same broader pattern as the 2025 Co-op and Harrods incidents — the vendor was the breach.