Cybersecurity firms StepSecurity and SafeDep have issued warnings regarding a sophisticated ongoing supply chain attack targeting dozens of popular open source software packages. This campaign, dubbed Mini Shai-Hulud, involves hackers compromising developer accounts to inject malicious updates into widely used libraries, thereby threatening the security of software developers globally. In the most recent wave of the attack, identified on Tuesday, adversaries took control of a single developer account and distributed over 630 malicious versions across 317 distinct packages in a matter of just twenty minutes. According to JFrog Security, some of these malicious updates were published directly on GitHub, allowing them to be inadvertently adopted by downstream users and applications. The primary objective of the attackers is to steal credentials for various services, including password managers, to facilitate further data theft and expand the spread of malware. Among the compromised projects is Antv, a charting and visualization library developed by Alibaba. The scope of the campaign is extensive, with researchers noting that the attackers are specifically targeting the open source ecosystem to maximize impact. Mini Shai-Hulud is a follow-up to a larger, earlier hacking campaign. The name draws a parallel to the "shai-hulud" from Frank Herbert's Dune, suggesting a pervasive and growing threat. The attack's reach extends beyond code repositories; last week, the hackers successfully compromised the personal computers of two employees at OpenAI. This breach occurred after the attackers infiltrated the TanStack open source library, which is heavily relied upon by many developers. OpenAI was one of several high-profile organizations affected by these intrusions. The implications of these attacks are significant for the global software industry. Supply chain attacks pose a unique risk because they allow malicious actors to reach a vast number of users by compromising a single entry point. By infecting popular packages, the attackers ensure that their malware is distributed to countless applications without the knowledge of individual users or even some project maintainers. Security experts emphasize that the speed and scale of the Mini Shai-Hulud campaign indicate a highly organized and resourceful threat group. The ability to push hundreds of malicious updates in such a short timeframe highlights vulnerabilities in account security and package publishing workflows. The incident serves as a stark reminder of the risks inherent in relying on open source components without rigorous verification. Organizations and developers are urged to remain vigilant, monitor their dependencies for unusual updates, and ensure robust multi-factor authentication is in place for all development accounts. The cybersecurity community continues to work on mitigating these threats, but the rapid evolution of such supply chain attacks presents a continuous challenge to software security.