“We saw very limited community spread,” said Charlie Eriksen, a security researcher with Aikido Security — a cautious line that sits against the broader fact that hundreds of open-source packages were infected and that some affected components are downloaded millions of times weekly. TanStack’s React Router alone accounts for more than 12 million weekly downloads, placing the malicious code deep inside modern build systems and developer machines.
What happened: a sprawling supply‑chain compromise
Security researchers and affected maintainers describe a campaign labeled “mini Shai‑Hulud” that embedded credential‑stealing malware into development tooling across major open‑source registries. The campaign compromised prominent libraries and projects, including packages maintained by TanStack, UiPath, and MistralAI. TanStack reported it had pulled all compromised software versions from the registry.
Experts say the malicious updates bypassed two‑factor authentication and carried cryptographically valid provenance signatures — signatures that verified the packages originated from the correct continuous integration (CI) pipelines but did not detect that those pipelines had been manipulated to approve malicious code.
How the attackers gained and distributed access
Researchers attribute the campaign to a group called TeamPCP, described in the reporting as a cloud‑focused criminal organization that emerged in late 2025 and specializes in automating supply‑chain attacks against cloud‑native infrastructure. Attackers used an “orphaned commit” — code pushed to a repository fork without a corresponding branch — to trigger overly broad permissions in GitHub Actions workflows and start an automated release process.
The malicious update used a concealed dependency that fetched a heavily obfuscated, 2.3‑megabyte payload disguised as an initialization module. Upon execution, the payload leveraged Bun, a high‑speed JavaScript runtime, to steal security keys and passwords targeting high‑level cloud infrastructure: Amazon Web Services, Google Cloud Platform, Kubernetes, and HashiCorp Vault.
Persistence, propagation, and extortion techniques
The malware operated as a self‑propagating worm that published copies of itself to other projects while spoofing activity to appear as automated commits from the Anthropic Claude bot. To maintain continuous access on developer machines, the code embedded itself into local configuration files for popular developer tooling — notably Visual Studio Code and Anthropic’s Claude Code — ensuring execution each time a project was opened or an AI coding session began.
To avoid conventional network detection, stolen data was exfiltrated over Session, described as an anonymous messaging app that bounces traffic across a decentralized network. The attackers also employed a secondary extortion tactic: generating new registry tokens that contained a ransom note in the token description, threatening a destructive wipe if victims tried to revoke compromised access.
Responses, detection signals, and vendor guidance
Socket CEO Feross Aboukhadijeh told CyberScoop there is “no single centralized kill switch for this kind of campaign,” and outlined practical signals organizations should watch for: installations of compromised package versions in CI/CD or developer environments; unexpected outbound connections to campaign infrastructure; suspicious changes in package lockfiles; unusual package publishes from their own maintainers or CI systems; and persistence artifacts in developer tooling directories.
Stephen Thoemmes, senior developer advocate at Snyk, highlighted a blind spot exploited by the attackers: directories like .claude/ and .vscode/ are typically excluded from version control via .gitignore and are rarely scrutinized as viable attack surfaces. “While these hook and task systems provide valuable automation for legitimate work, they offer a silent execution environment for malicious code,” Thoemmes said, urging that local tooling directories receive the same security scrutiny as production infrastructure.
The reporting also relays an immediate operational recommendation from affected vendors and researchers: anyone who downloaded the affected tools on Monday should immediately change all connected cloud, server, and developer credentials — including Amazon Web Services, Google Cloud, and GitHub — because pulled packages cannot guarantee retrieval of credentials already exfiltrated.
What this means for developer teams and enterprises
- Developer and security teams: Expect to hunt for persistence in developer tooling directories, inspect CI workflows for overly broad permissions, and scan package lockfiles and recent publishes from maintainers and CI systems for anomalies.
- Open‑source maintainers and registries: Be aware that provenance signatures and 2FA do not prevent abuse if CI pipelines or workflow permissions are misconfigured; the attack shows a need to review how automated releases are authorized.
- Enterprises relying on popular libraries: Even volunteer‑maintained packages can be a vector into critical infrastructure; Charlie Eriksen warned this is “an all‑of‑society problem,” not a volunteer versus corporate dichotomy.
The “mini Shai‑Hulud” campaign demonstrates a blunt technical truth detailed by multiple experts: attackers can turn trusted automation into a bypass for modern safeguards. As Feross Aboukhadijeh put it, by the time a malicious package is confirmed, it “may already have been installed inside the exact environments attackers want most: developer machines and CI runners.” The incident leaves one practical question for organizations and registries alike — how to harden the link between a package’s origin and the integrity of the automation that publishes it.
