Skip to main content
Emerging ThreatsSupply Chain Attacks

Mini Shai-Hulud Worm Targets Multiple AI, Dev Packages

Cluttered tech workspace with laptop and development tools on a desk.

"The attack published malicious versions through the project's own GitHub Actions release pipeline using hijacked OIDC tokens," StepSecurity researcher Ashish Kurmi said.

How the Mini Shai‑Hulud worm operates

Security firms tracing a fresh supply‑chain campaign attribute the activity to TeamPCP and call the malware family "Mini Shai‑Hulud." A modified npm package includes an obfuscated JavaScript file, "router_init.js," that profiles the execution environment and launches a credential stealer designed to harvest a wide range of sensitive data — from cloud provider credentials and cryptocurrency wallets to AI tooling and messaging apps, as well as CI systems including GitHub Actions, Aikido Security, Endor Labs, SafeDep, Socket, and StepSecurity, the reporting said.

Exfiltration is routed first to the domain filev2.getsession[.]org, a Session Protocol infrastructure the attackers are assessed to use deliberately because it is unlikely to be blocked in enterprise environments. As a fallback, stolen GitHub tokens are used to commit encrypted data to attacker‑controlled repositories under the author name "claude@users.noreply.github.com" via the GitHub GraphQL API.

The GitHub Actions chain: fork, cache poisoning, and OIDC memory theft

TanStack traced the root of its compromise to a chained GitHub Actions attack that used the "pull_request_target" trigger, GitHub Actions cache poisoning, and runtime memory extraction of an OIDC token from the Actions runner process. Attackers are assessed to have staged malicious payloads in a fork, injected them into published npm tarballs, and hijacked the project's legitimate "TanStack/router" workflow to publish compromised versions with valid SLSA provenance.

Crucially, the worm can spread itself to other packages by locating a publishable npm token with bypass_2fa set to true, enumerating every package published by the same maintainer, and exchanging a GitHub OIDC token for a per‑package publish token — effectively sidestepping traditional authentication barriers.

TanStack impact: CVE-2026-45321, scale, and unusual attestations

The TanStack incident has been assigned CVE‑2026‑45321 and carries a CVSS score of 9.6 out of 10.0. TanStack reported the intrusion affected 42 packages and 84 versions across its ecosystem. Security researchers flagged a rare escalation: the compromised packages carried valid SLSA Build Level 3 provenance attestations, making this the first documented npm worm reported to produce validly attested malicious packages.

Secondary compromises: PyPI, OpenSearch, AI tooling and more

Mini Shai‑Hulud activity was observed beyond TanStack. A non‑exhaustive list of affected packages includes:

  • guardrails-ai@0.10.1 (PyPI)
  • mistralai@2.4.6 (PyPI)
  • @opensearch-project/opensearch@3.5.3, 3.6.2, 3.7.0, and 3.8.0
  • @squawk/mcp@0.9.5; @squawk/weather@0.5.10; @squawk/flightplan@0.5.6
  • @tallyui/connector-medusa@1.0.1, 1.0.2, 1.0.3; @tallyui/connector-vendure@1.0.1, 1.0.2, 1.0.3

Microsoft's analysis of the malicious mistralai PyPI package found it attempts to download a credential stealer from 83.142.209[.]194 that contains country‑aware logic to avoid Russian‑language environments and a "geofenced destructive branch" with a 1‑in‑6 chance of executing rm -rf / when the system appears to be in Israel or Iran.

Socket noted the guardrails‑ai@0.10.1 compromise is "especially notable because the malicious code executes on import." That package checks for Linux systems, downloads a remote Python artifact from https://git-tanstack.com/transformers.pyz, writes it to /tmp/transformers.pyz, and executes it with python3 without verifying integrity.

Technical evasions and persistence: IDE hooks, token monitors, and workflow injection

Beyond credential theft and exfiltration, the malware includes persistence mechanisms. It can install hooks in Claude Code and Microsoft Visual Studio Code (VS Code) so the stealer re‑executes on every IDE launch. The campaign also installs a "gh-token-monitor" service to watch for and re‑exfiltrate GitHub tokens, and injects two malicious GitHub Actions workflows designed to serialize repository secrets into a JSON object and upload them to api.masscan[.]cloud.

What this means for technologists, maintainers, and enterprise teams

  • Technologists and security teams: Watch for indicators cited in reporting — router_init.js, gh-token-monitor, commits from "claude@users.noreply.github.com," and outbound connections to filev2.getsession[.]org and api.masscan[.]cloud — and prioritize inspection of GitHub Actions runners for OIDC token exposure and cache poisoning.
  • Open‑source maintainers and CI administrators: Scrutinize workflows that use the "pull_request_target" trigger, validate build provenance despite SLSA attestations, and audit token scopes and bypass_2fa settings that the worm exploits to publish across a maintainer's packages.
  • Affected enterprises and procurement leaders: Note that compromised packages span search infrastructure, AI tooling, aviation‑related developer packages, enterprise automation, frontend tooling, and CI/CD‑adjacent ecosystems — and may require cross‑team inventory and incident response actions tied to the listed packages and versions.

Mini Shai‑Hulud demonstrates how a single chain of trust abuse in CI can ripple across ecosystems: valid SLSA attestations and normal release pipelines were leveraged to create and distribute malicious artifacts, and fallback exfiltration and persistence mechanisms aim to make detection and remediation harder. The record here leaves a single, practical imperative — defenders must treat provenance claims and CI attestations as signals to verify, not guarantees to trust.

Source: The Hacker News — Mini Shai‑Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages