Mini Shai-Hulud Returns: 314 `npm` Packages Compromised

A short publish window still pushed hundreds of malicious versions. Lockfiles, token hygiene, and dependency review matter before the next npm install.

[ KEY POINTS ]

The atool npm account was compromised on May 19, 2026, and malicious releases were pushed for about 22 minutes.
Attack automation produced 637 malicious versions across roughly 317 packages. Short-lived incidents still reach CI fast.
The payload was a 498KB obfuscated Bun script, matching scanner structure and regexes tied to Mini Shai-Hulud.
Targets included cloud credentials such as AWS keys. Rotate exposed tokens and audit recent installs from affected packages.

Originalnews.hada.io/topic?id=29709Read original →

// related

#0001
#0001Other GeekNews3 hours ago
`TabPFN`, Foundation Model for Tabular Data
50radar
TabPFNTabular ML model — fit/predict for classification and regression
Classification and regression run through a scikit-learn-style fit/predict flow. Useful for quick baselines on small structured datasets before building a full ML pipeline.
- TabPFN targets tabular data, not text or images; it fits churn, scoring, lead ranking, and internal ops data.
- The fit/predict interface lowers integration cost for Python stacks already using scikit-learn.
- TabPFN-2.6 was trained only on synthetic data, so production use still needs validation against real domain data.
Source: news.hada.io/topic?id=29719Read original →
FIG-0011:1
50radar
FIG-0011:1
#0002
#0002Other GeekNewsyesterday
`Bambu Studio` Faces Broad AGPLv3 Compliance Challenge
40radar
Bambu Studio3D printing slicer — based on PrusaSlicer
Copyleft obligations can reach bundled dynamic libraries and install info. If you fork AGPLv3 software, partial source drops are not enough.
- AGPLv3 Corresponding Source covers code needed to generate, install, run, and modify the work, not just visible app changes.
- A tightly coupled proprietary networking library may need source disclosure if it is dynamically linked into the modified app.
- Forking strong-copyleft projects for commercial software demands release-process checks before binaries ship.
Source: news.hada.io/topic?id=29694Read original →
FIG-0021:1
40radar
FIG-0021:1
#0003
#0003Other GeekNewsyesterday
What's New in `Chrome` from Google I/O 2026
50radar
The web is shifting from human clicks to agent-driven browsing and AI-assisted development. Worth tracking before specs turn into defaults.
- Paul Kinlan, who leads Chrome DevRel, framed the last 6 months as a fast reset for web development workflows.
- One axis is preparing sites for agents that browse on users' behalf. Structured, machine-readable UX will matter more.
- Another axis is developer tooling. Chrome is positioning DevTools around AI-assisted debugging and building, not just inspection.
- The source is short and lacks API-level details, so this is a watchlist item rather than something to implement today.
Source: news.hada.io/topic?id=29693Read original →
FIG-0031:1
50radar
FIG-0031:1

Mini Shai-Hulud Returns: 314 `npm` Packages Compromised

// related

`TabPFN`, Foundation Model for Tabular Data

`Bambu Studio` Faces Broad AGPLv3 Compliance Challenge

What's New in `Chrome` from Google I/O 2026