TeamPCP's Mini Shai-Hulud Worm Compromises Over 170 npm and PyPI Packages with Multi-Stage Credential Stealer

TL;DR Threat actor TeamPCP has compromised over 170 packages across npm and PyPI registries, including TanStack (42 packages, 84 versions), Mistral AI, Guardrails AI, UiPath, and OpenSearch, deploying a worm that steals credentials from cloud providers, CI/CD systems, and cryptocurrency wallets. The malware establishes persistence in code editors, exfiltrates data through multiple channels, and includes a destructive wiper routine triggered if developers revoke stolen npm tokens. The TanStack compromise (CVE-2026-45321, CVSS 9.6) marks the first documented npm worm producing validly signed SLSA Build Level 3 provenance attestations.

What happened

Threat actor TeamPCP has launched a supply chain campaign termed "Mini Shai-Hulud" targeting multiple open-source ecosystems. The attack chain begins with compromise of developer workflows and repository permissions, allowing attackers to inject malicious code into package builds and publish them using legitimate CI/CD infrastructure.

For TanStack packages, the attack exploited GitHub Actions by chaining multiple techniques: the "pull_request_target" trigger, GitHub Actions cache poisoning, and runtime memory extraction of OIDC tokens from the runner process. Attackers staged a malicious payload in a GitHub fork via an orphaned commit, then hijacked the legitimate "TanStack/router" workflow to publish compromised versions. Critically, TanStack's OIDC trusted publisher configuration granted trust at the repository level rather than scoping to specific protected branches and workflow files, allowing the orphaned commit to request a valid short-lived npm publish token.

The compromised TanStack packages carry valid SLSA Build Level 3 provenance attestations, making this the first documented npm worm to produce validly attested malicious packages. The worm subsequently spreads autonomously by locating publishable npm tokens with bypass_2fa set to true, enumerating all packages published by the same maintainer, and exchanging GitHub OIDC tokens for per-package publish tokens to bypass traditional authentication.

The malicious code appears in multiple forms depending on the registry. In npm packages, an obfuscated JavaScript file named "router_init.js" profiles the execution environment and launches a credential stealer targeting cloud providers, cryptocurrency wallets, AI tools, messaging applications, and CI systems including GitHub Actions. The TanStack cluster uses a prepare lifecycle hook that executes via the Bun runtime. Mistral AI packages adopt an earlier approach, replacing package.json with a preinstall hook invoking "node setup.mjs" to download Bun and execute the same JavaScript malware.

PyPI packages follow different patterns: the mistralai package downloads a credential stealer from a remote server (83.142.209[.]194) with country-aware logic to avoid Russian-language environments and includes a geofenced destructive branch with a 1-in-6 chance of executing "rm -rf /" when systems appear to be in Israel or Iran. The guardrails-ai@0.10.1 package executes malicious code on import, checking for Linux systems, downloading a remote Python artifact from "https://git-tanstack.com/transformers.pyz," and writing it to /tmp/transformers.pyz.

Exfiltration occurs through three redundant channels: the "filev2.getsession[.]org" domain using Session Protocol infrastructure (chosen to evade enterprise blocking), GitHub repositories under the author "claude@users.noreply.github.com" via GitHub GraphQL API using stolen tokens, and a typosquat domain "git-tanstack[.]com." The malware installs a gh-token-monitor service to continuously re-exfiltrate GitHub tokens and injects malicious GitHub Actions workflows to serialize repository secrets into JSON and upload to "api.masscan[.]cloud."

Persistence is established through hooks in Claude Code and Microsoft Visual Studio Code that survive reboots and re-execute the stealer on every IDE launch.

A critical destructive mechanism is embedded: the malware installs a dead-man's switch that polls "api.github.com/user" every 60 seconds to check if the npm token has been revoked. If revoked, the token description "IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner" precedes execution of "rm -rf ~/" on the infected machine, functioning as wiper malware.

According to OX Security data, the campaign has affected over 170 packages spanning both registries with more than 518 million cumulative downloads. At least 400 attacker-controlled repositories have been created containing stolen credentials, all bearing the string "Shai-Hulud: Here We Go Again."

Why it matters

This campaign represents a fundamental escalation in supply chain attack sophistication. For developers and DevOps teams, the implications are severe:

Trusted publishing abuse: Attackers have weaponized GitHub Actions OIDC tokens and trusted publisher configurations, turning legitimate CI/CD infrastructure into a distribution mechanism. The worm's ability to autonomously propagate by identifying and reusing npm tokens with 2FA bypass enabled means a single compromised package can infect entire organization ecosystems.

Persistence and surveillance: The malware's establishment of hooks in development IDEs means every launch of Claude Code or VS Code re-executes the stealer. Credentials stolen include GitHub tokens, npm tokens, cloud provider credentials, and cryptocurrency wallet keys—attackers gain access to deployment pipelines and financial assets simultaneously.

Destructive capabilities: The wiper routine is not a failsafe mechanism but a hostile deterrent. Developers who revoke tokens risk wiping their home directories. This forces a choice between allowing attackers to maintain exfiltration or accepting system destruction, complicating incident response.

Detection evasion: Valid SLSA provenance attestations mean these malicious packages pass automated integrity checks. Enterprise supply chain tooling designed to trust signed artifacts will not flag the compromised versions. The use of privacy-focused decentralized infrastructure (Session Protocol) bypasses traditional network-based detection.

Scale and scope: Over 518 million downloads across affected packages means the blast radius encompasses countless organizations. PyPI packages with on-import execution create infection vectors that trigger before runtime security tools can intervene.

Affected systems and CVEs

• TanStack (42 packages, 84 versions) — CVE-2026-45321
• Mistral AI (mistralai@2.4.6 on PyPI)
• Guardrails AI (guardrails-ai@0.10.1 on PyPI)
• UiPath
• OpenSearch (@opensearch-project/opensearch@3.5.3, 3.6.2, 3.7.0, 3.8.0)
• DraftLab
• @squawk/mcp@0.9.5
• @squawk/weather@0.5.10
• @squawk/flightplan@0.5.6
• @tallyui/connector-medusa@1.0.1, 1.0.2, 1.0.3
• @tallyui/connector-vendure@1.0.1, 1.0.2, 1.0.3
• Over 170 packages total across npm and PyPI

CVE-2026-45321 carries a CVSS score of 9.6 out of 10.0, indicating critical severity.

What to do

• Do not revoke npm tokens before isolating and imaging the system. Revocation triggers destructive "rm -rf ~/" execution. Isolate affected machines, image drives for forensics, then revoke tokens only after the machine is offline.

• Identify compromised packages in your dependency tree. Audit package-lock.json, yarn.lock, requirements.txt, and Pipfile for the named affected packages and versions listed above. Cross-reference against the deployment timeline to determine exposure window.

• Revoke compromised credentials after system isolation. Revoke all GitHub tokens, npm tokens, cloud provider credentials, and cryptocurrency wallet access from unaffected machines. Assume all secrets accessible during the infection period are compromised.

• Audit GitHub Actions workflows for malicious modifications. Search workflow files for suspicious steps, particularly those injecting repository secrets or executing external scripts. Inspect git history for commits containing "Shai-Hulud: Here We Go Again" across all repositories.

• Search GitHub repositories for attacker-created data drops. Query for commits authored as "claude@users.noreply.github.com" and repositories containing the string "Shai-Hulud: Here We Go Again."

• Check IDE configuration files for persistence hooks. Inspect Claude Code and VS Code configuration directories for malicious prepare/setup scripts or suspicious hooks.

• Scope OIDC trusted publisher configuration to specific protected branches and workflow files rather than repository level. This prevents orphaned commits or unrelated workflow runs from requesting publish tokens.

• Monitor CI/CD logs for suspicious OIDC token usage and GitHub Actions workflow executions. Flag unusual npm publish operations, particularly those using per-package tokens rather than repository-level tokens.

• Review network egress for communication to exfiltration domains: filev2.getsession[.]org, git-tanstack[.]com, api.masscan[.]cloud, 83.142.209[.]194.

• Implement behavioral monitoring during package installation and build phases. Detect execution of obfuscated JavaScript files, Bun runtime invocations, remote Python artifact downloads, and shell commands typical of the malware payload.

• Rotate all developer machine credentials and re-image systems where these packages were installed in development environments.

Open questions

• The source does not specify the initial attack vector for gaining compromise of the TanStack repository prior to the GitHub Actions chain.

• The complete list of affected packages beyond those explicitly named in reports is not provided; the source indicates "over 170 packages" without exhaustive enumeration.

• Whether other maintainers' OIDC trusted publisher configurations share the same repository-level scope vulnerability is unclear.

• The precise timeline of attack initiation and discovery is not stated in the source material.

• Whether npm and PyPI registries have removed malicious package versions from public repositories is not confirmed in the source.

• The mechanism by which attackers initially obtained or generated the stolen GitHub OIDC token is not explained.

Source

Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages