Mini Shai-Hulud Worm Compromises 170+ Packages Across TanStack, Mistral AI, and Guardrails AI

A recent surge in supply chain attacks has been attributed to the threat actor known as TeamPCP, which has compromised numerous npm and PyPI packages, including those from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI. This wave of attacks is part of a new campaign dubbed the Mini Shai-Hulud, which has raised significant concerns within the cybersecurity community.

Overview of the Attack

The compromised npm packages have been altered to include an obfuscated JavaScript file named “router_init.js.” This file is engineered to profile the execution environment and deploy a sophisticated credential-stealing mechanism. This malware targets a wide range of systems, including cloud providers, cryptocurrency wallets, AI tools, messaging applications, and continuous integration (CI) systems like GitHub Actions. Reports from various cybersecurity firms, including Aikido Security, Endor Labs, SafeDep, Socket, StepSecurity, and Snyk, have detailed the nature of these attacks, which exfiltrate data to the domain “filev2.getsession[.]org.”

The use of Session Protocol infrastructure is a calculated move by the attackers to avoid detection, as this domain is less likely to be blocked in enterprise environments due to its association with a decentralized, privacy-focused messaging service. As a fallback, encrypted data is sent to repositories controlled by the attackers, using the author name “claude@users.noreply.github.com” via the GitHub GraphQL API with stolen GitHub tokens.

Technical Mechanisms of the Malware

The malware demonstrates advanced capabilities, including establishing persistence hooks in development environments like Claude Code and Microsoft Visual Studio Code (VS Code). This ensures that the credential stealer can survive system reboots and re-execute each time the integrated development environments (IDEs) are launched.

Additionally, the malware installs a service to monitor GitHub tokens and injects malicious GitHub Actions workflows. These workflows are designed to serialize repository secrets into a JSON object and upload them to an external server, “api.masscan[.]cloud.”

In contrast to previous attacks, such as the SAP wave, where compromised packages added a preinstall hook to initiate the infection, the latest TanStack cluster employs a different approach. It incorporates a JavaScript file within the package tarball and adds an optional dependency pointing to a GitHub-hosted package. This dependency contains a prepare lifecycle hook that executes the JavaScript payload via the Bun runtime.

Updates to the Mistral AI packages have reverted to earlier tactics, replacing the contents of the “package.json” file with a preinstall hook that invokes “node setup.mjs,” which subsequently downloads Bun and executes the same JavaScript malware.

Severity and Impact

The TanStack supply chain compromise has been assigned the CVE identifier CVE-2026-45321, carrying a critical CVSS score of 9.6 out of 10. This incident has affected 42 packages and 84 versions within the TanStack ecosystem. TanStack has traced the compromise back to a chained GitHub Actions attack involving the “pull_request_target” trigger, GitHub Actions cache poisoning, and the extraction of an OpenID Connect (OIDC) token from the GitHub Actions runner process. Importantly, TanStack has confirmed that no npm tokens were stolen, and the npm publish workflow itself was not compromised.

The attackers are believed to have staged the malicious payload in a GitHub fork via an orphaned commit, which was then injected into published npm tarballs. They hijacked the legitimate “TanStack/router” workflow to publish the compromised versions, which carried valid Software Supply Chain Levels for Security Attestation (SLSA) provenance.

Evolving Threat Landscape

The attack is particularly notable for its exploitation of trusted publishing mechanisms. It allows attacker-controlled code running within a workflow to leverage its OIDC permissions to generate a short-lived publish token during the build process, thus enabling the publication of malicious packages without the need to steal an npm token.

The worm’s ability to propagate itself to other packages is facilitated by locating a publishable npm token with bypass_2fa set to true. It enumerates every package published by the same maintainer and exchanges a GitHub OIDC token for a per-package publish token, effectively bypassing traditional authentication methods.

The introduction of a dead-man’s switch in the obfuscated JavaScript malware further complicates the situation. This feature employs a shell script that periodically checks if an npm token created by the malware has been revoked. If the token is revoked, the script triggers a destructive routine that executes “rm -rf ~/” on the infected machine, effectively turning it into wiper malware. This aggressive tactic underscores TeamPCP’s evolving tradecraft.

Broader Implications

This campaign signifies a shift in supply chain attacks from isolated package compromises to identity-driven propagation through trusted CI/CD infrastructure. Once attackers gain access to publishing workflows and pipeline identities, the software delivery process itself becomes a distribution mechanism for malicious code. The challenge for defenders lies in the fact that much of this activity can appear legitimate, highlighting the need for enhanced behavioral visibility during installations and builds.

The Mini Shai-Hulud campaign has also extended its reach to several other packages, including those in PyPI, such as:

• guardrails-ai@0.10.1 (PyPI)
• mistralai@2.4.6 (PyPI)
• @opensearch-project/opensearch@3.5.3, 3.6.2, 3.7.0, and 3.8.0
• @squawk/mcp@0.9.5
• @squawk/weather@0.5.10
• @squawk/flightplan@0.5.6
• @tallyui/connector-medusa@1.0.1, 1.0.2, and 1.0.3
• @tallyui/connector-vendure@1.0.1, 1.0.2, and 1.0.3

According to data from OX Security, this incident has impacted over 170 packages across both npm and PyPI registries, accumulating more than 518 million downloads. Reports indicate that at least 400 repositories containing stolen credentials have been created as part of this attack wave, all of which include the phrase “Shai-Hulud: Here We Go Again.”

Microsoft’s analysis of the malicious mistralai PyPI package revealed that it is designed to download a credential stealer from a remote server, which includes country-aware logic to avoid Russian-language environments and a geofenced destructive branch that may execute destructive commands based on geographic location.

The ongoing activity from this campaign illustrates its capacity to propagate across various ecosystems, affecting search infrastructure, AI tooling, aviation-related developer packages, enterprise automation, frontend tooling, and CI/CD-adjacent environments.

Source: thehackernews.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.