top of page

Mini Shai-Hulud Worm Supply Chain Attack Compromises Hundreds of Open-Source Packages

  • May 13
  • 3 min read

Key Findings


  • TeamPCP threat actor behind sprawling supply chain attack targeting npm and PyPI packages across TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI

  • Malware deploys obfuscated JavaScript credential stealer targeting cloud providers, crypto wallets, AI tools, CI systems, and messaging apps

  • Data exfiltrated to attacker-controlled infrastructure using Session Protocol to evade detection

  • Malware establishes persistence in VS Code and Claude Code IDEs, survives reboots

  • Attack compromised 42 TanStack packages and 84 versions with valid SLSA provenance signatures

  • CVE-2026-45321 assigned with critical CVSS score of 9.6

  • Self-propagating worm spreads to other packages by locating npm tokens and using stolen GitHub OIDC tokens

  • Over 160 packages affected across multiple ecosystems


Background


TeamPCP emerged in late 2025 as a cloud-focused cybercriminal group specializing in automating supply chain attacks. They're known for exploiting cloud-native infrastructure and their ability to disguise malicious activity while maintaining aggressive extortion tactics. The group previously developed Shai Hulud malware and continues evolving their techniques to breach development environments at scale.


Attack Mechanism and Delivery


The attackers exploited overly broad GitHub Actions workflow permissions using an orphaned commit strategy. This allowed them to trigger the automated release process without standard authentication. The malware was delivered through concealed dependencies containing a 2.3-megabyte obfuscated payload designed to execute via the Bun runtime.


Different packages received slightly different infection vectors. TanStack packages included a malicious JavaScript file with an optional dependency pointing to a GitHub-hosted package with a prepare lifecycle hook. Mistral AI packages replaced package.json contents with preinstall hooks calling node setup.mjs, which downloads Bun and executes the same payload.


Credential Theft and Data Exfiltration


Once executed, the malware profiles the execution environment and systematically targets high-value credentials. It harvests AWS, Google Cloud Platform, Kubernetes, and HashiCorp Vault secrets alongside cryptocurrency wallets, AI tools, and messaging applications. SSH keys and local secret files are extracted from developer machines.


Stolen data is exfiltrated to filev2.getsession.org using Session Protocol infrastructure, making detection difficult since the domain belongs to a legitimate privacy-focused messaging service unlikely to be blocked by enterprises. As a fallback, encrypted data is committed to attacker-controlled GitHub repositories under the identity claude@users.noreply.github.com using stolen GitHub tokens.


Persistence and Lateral Movement


The malware installs hooks in VS Code and Claude Code configuration directories, ensuring automatic execution on IDE launch. It creates a gh-token-monitor service to continuously re-exfiltrate GitHub tokens and injects malicious GitHub Actions workflows that serialize repository secrets to JSON and upload them to api.masscan.cloud.


The worm self-propagates by locating publishable npm tokens with bypass_2fa enabled, enumerating packages from the same maintainers, and exchanging stolen GitHub OIDC tokens for per-package publish tokens. This circumvents traditional authentication entirely, allowing widespread distribution across multiple package ecosystems.


Signature Bypass and Trust Exploitation


What makes this attack exceptional is its abuse of trusted publishing mechanisms. Attacker-controlled code running in workflows leveraged OIDC permissions to mint short-lived publish tokens without stealing npm credentials. The compromised packages carry valid SLSA Build Level 3 provenance attestations, making this the first documented npm worm producing cryptographically valid signatures.


The attackers configured overly permissive OIDC trusted publisher settings at the repository level rather than scoping to specific protected branches and workflow files. This allowed the orphaned commit to trigger legitimate workflow runs that could request valid npm publish tokens.


Initial Compromise Vector


The TanStack compromise traced back to chained GitHub Actions attacks involving pull_request_target triggers, GitHub Actions cache poisoning, and runtime memory extraction of OIDC tokens from runner processes. Attackers staged the malicious payload in a GitHub fork via an orphaned commit, injected it into npm tarballs, then hijacked the legitimate TanStack/router workflow to publish compromised versions with valid provenance.


TanStack confirmed no npm tokens were stolen and the npm publish workflow itself remained uncompromised. The attack relied entirely on workflow hijacking and OIDC token extraction.


Extortion and Dead Man's Switch


The malware generates a new registry token with a ransom note in its description, threatening complete computer destruction if victims attempt to revoke access. A dead man's switch using shell scripts periodically verifies npm tokens remain unrevoked, providing persistence and leverage for extortion attempts.


Impact and Response


TanStack accounts for over 12 million weekly downloads of React Router alone, embedding malicious code deep within enterprise supply chains. Security teams have pulled compromised versions from registries. Experts urge anyone downloading affected tools to immediately rotate cloud credentials, GitHub tokens, and all connected developer infrastructure.


The incident represents a systemic vulnerability in automated publishing pipelines and demonstrates how attackers weaponize the software update process itself against enterprises.


Sources


  • https://thehackernews.com/2026/05/mini-shai-hulud-worm-compromises.html

  • https://cyberscoop.com/mini-shai-hulud-supply-chain-malware-attack/

  • https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised

  • https://www.linkedin.com/posts/upwindsecurity_mini-shai-hulud-worm-compromises-tanstack-activity-7460096211031830528-_1Zh

  • https://www.reddit.com/r/cybersecurity/comments/1tavwoo/mini_shaihulud_worm_compromises_tanstack_mistral/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page