Monday, 18 May 2026
AI Daily
Front Page
Open SourceFriday, 15 May 2026 · 3 min read

Mini Shai-Hulud Worm Hits TanStack, Mistral and 170+ npm Packages

Mini Shai-Hulud worm hit TanStack, Mistral AI, and 170+ packages via GitHub Actions cache poisoning, touching 518 million cumulative npm and PyPI downloads.

Supply chain attack diagram showing npm package dependency compromise across multiple open source repositories
Source: The Hacker News

A self-propagating supply chain worm designated Mini Shai-Hulud compromised more than 170 packages across npm and PyPI between May 11 and May 12, hitting some of the most widely downloaded libraries in the JavaScript and Python ecosystems. The packages affected collectively account for 518 million cumulative downloads, and the attack spawned over 400 attacker-controlled repositories using stolen GitHub tokens before the open source security community mounted a coordinated response.

The threat actor behind the campaign, identified as TeamPCP, executed an attack chain of unusual sophistication that exploited GitHub Actions infrastructure rather than compromising developer credentials or package registry accounts directly. OpenAI disclosed on May 13 that two employee devices were impacted by the malicious packages, and the company updated its macOS security certificates as a precaution.

How the Attack Worked

The entry point was a forked repository of TanStack Router — one of the most popular routing libraries in the React ecosystem, with approximately 12 million weekly downloads. TeamPCP created a fork named zblgg/configuration and opened a pull request against the main TanStack/router repository that triggered a pull_request_target workflow in GitHub Actions.

The critical vulnerability lay in GitHub's Actions cache system. The pull request poisoned the pnpm package cache shared between the fork and the main repository. When legitimate TanStack maintainers subsequently merged their own pull requests to the main branch, the release workflow restored the compromised cache, injecting the malicious code into the published npm tarball without the maintainers realising the cache had been tampered with.

The attack then harvested OIDC tokens from the GitHub Actions runner's process memory — specifically from /proc/<pid>/mem — allowing the attacker to publish malicious package versions with valid SLSA provenance attestations. To an external observer, the tampered packages appeared to have passed integrity checks that should have caught unauthorised modifications.

The malicious payload included an embedded obfuscated JavaScript file named router_init.js, approximately 2.3 megabytes in size, designed to steal credentials from CI/CD systems, cloud provider authentication tokens, crypto wallet secrets, and package registry access tokens. Those stolen tokens were then used to publish compromised versions of additional packages — the self-propagating worm behaviour that gave the campaign its name.

The Scope of Compromise

Beyond the 42 TanStack packages that served as the primary infection vector, the worm spread to the Mistral AI TypeScript client (@mistralai/mistralai), the Guardrails AI Python library, multiple packages in the UiPath enterprise automation namespace, and OpenSearch client packages at versions 3.5.3, 3.6.2, 3.7.0, and 3.8.0.

The Hacker News assigned CVE-2026-45321 with a CVSS score of 9.6 to the TanStack compromise. Wiz Research published a detailed technical analysis documenting the triple command-and-control architecture used for data exfiltration: a typosquatted domain (git-tanstack.com), the decentralised Session messenger network, and GitHub API dead-drop repositories — three independent exfiltration channels providing redundancy against takedown.

A particularly destructive capability was embedded in the malware's persistence mechanism. On developer machines, a daemon installed by the payload polled GitHub every 60 seconds and was designed to execute rm -rf ~/ — a full home directory deletion — if the compromised npm token was revoked. Wiz confirmed the daemon was programmed to exit automatically after 24 hours without triggering, suggesting the destruction capability was intended as a deterrent against immediate revocation rather than a primary attack objective.

Community Response and Lessons

GitHub revoked the compromised OIDC tokens within hours of the attack being reported, and package registries removed the malicious versions. TanStack maintainers published clean releases and detailed post-mortems. The pull_request_target trigger pattern that TeamPCP exploited — running workflows with write permissions in response to pull requests from forks — has been flagged by GitHub's security team before as a high-risk configuration, and the Mini Shai-Hulud campaign is expected to accelerate adoption of more restrictive workflow permissions across open source projects.

Snyk and Orca Security both published advisories recommending that any organisation running the affected package versions audit their CI/CD secrets, rotate cloud credentials, and review GitHub Actions workflow permissions across their dependency trees. The persistence hooks targeting Claude Code and VS Code environments were noted specifically as vectors that could have affected developer machines beyond CI systems.

The inclusion of Mistral AI's npm client in the compromised packages is particularly awkward given Mistral's concurrent positioning as a European cybersecurity alternative for banks. The company confirmed the compromise and published patched versions, but the incident illustrates that supply chain vulnerabilities in the JavaScript ecosystem do not discriminate by the reputational stakes of the package owner.

#supply-chain#security#npm#mistral#tanstack#open-source#malware

Sources

More from Open Source

See all