npm has revoked granular write-access tokens tied to compromised developer accounts in an effort to curb a new wave of the self-replicating “Mini Shai-Hulud” supply-chain worm. The platform also urged users to rotate secrets and move to Trusted Publishing, but researchers say infected machines can still leak data locally. The latest spike followed the compromise of the npm account “atool,” which published 637 malicious versions across 323 packages in 27 minutes.

Zama has acquired TokenOps to add Fully Homomorphic Encryption (FHE) to token vesting, airdrops and cap table workflows for institutional issuers. The companies said the setup uses onchain encryption, including the ERC-7984 confidential token standard, to reduce signaling and front-running risks tied to transparent releases. The FHE-based distribution is already running in production, including deployments for KAIO and Zama's own (ZAMA) confidential vesting on Ethereum.

Galaxy Digital research chief Alex Thorn raised his estimate that the CLARITY Act becomes law in 2026 to 75%, up from a 50/50 view he held in April. The shift followed a 15-9 Senate Banking Committee vote on May 14 and an updated legislative timetable that points to Senate action in June, House work in July, and a possible presidential signature the week of August 3.

On May 20, 2026 at 10:34, South Carolina's governor signed S.0163 into law after the bill was introduced on January 14, 2025. The measure protects self-custody and limits discriminatory taxes across digital assets, exempts mining from money-transmitter licensing while keeping energy oversight, and bars state authorities from accepting or joining federal CBDC tests.

A self-replicating "Mini Shai-Hulud" worm abused GitHub Actions on May 19 to push malicious releases, impacting AntV-related packages, echarts-for-react, and Microsoft's durabletask SDK across an estimated 16 million weekly downloads. The malware is designed to steal cloud and developer credentials and includes a dead-man's switch that can wipe a developer's home directory if the attacker-created npm token is revoked. GitHub said on May 20 it would roll out staged publishing, expand OIDC trusted publishing, and move away from legacy tokens.

President Donald Trump signed an executive order Tuesday directing the Federal Reserve to review whether fintech and crypto firms could gain direct access to Fed payment services, commonly known as master accounts. The order also asks the Fed to clarify whether the 12 Reserve Banks can independently approve or deny such access and to deliver a report to the president within 120 days.

More than 100 amendments were submitted ahead of the US Senate Banking Committee's May 14 markup of the CLARITY Act, highlighting disputes over ethics rules, stablecoin yield products and DeFi developer protections. The bill would create a federal crypto framework dividing oversight between the SEC and CFTC, while lawmakers face pressure tied to a target of signing the legislation before July 4, 2026.

President Donald Trump signed an executive order on May 19 instructing U.S. financial regulators to review rules that affect fintech firms, digital asset companies, and blockchain-based financial services. Agencies have 90 days to identify barriers tied to partnerships, charter and licensing reviews, and other federal authorizations, while the Federal Reserve is asked to assess whether certain non-banks and uninsured depository institutions can obtain payment accounts and services.