Any improvement setting that put in or imported one of many 172 compromised npm or PyPI packages revealed since Might 11 needs to be handled as probably compromised. On affected developer workstations, the worm harvests credentials from over 100 file paths: AWS keys, SSH non-public keys, npm tokens, GitHub PATs, HashiCorp Vault tokens, Kubernetes service accounts, Docker configs, shell historical past, and cryptocurrency wallets. For the primary time in a TeamPCP marketing campaign, it targets password managers together with 1Password and Bitwarden, in line with SecurityWeek.
It steals Claude and Kiro AI agent configurations, together with MCP server auth tokens for each exterior service an agent connects to. And it does not depart when the bundle is eliminated.
The worm installs persistence in Claude Code (.claude/settings.json) and VS Code (.vscode/duties.json with runOn: folderOpen) that re-execute each mission open, plus a system daemon (macOS LaunchAgent / Linux systemd) that survives reboots. These reside within the mission tree, not in node_modules. Uninstalling the bundle doesn’t take away them. On CI runners, the worm reads runner course of reminiscence immediately through /proc/pid/mem to extract secrets and techniques, together with masked ones, on Linux-based runners. Should you revoke tokens earlier than isolating the machine, Wiz’s evaluation discovered a damaging daemon wipes your property listing.
Between 19:20 and 19:26 UTC on Might 11, the Mini Shai-Hulud worm revealed 84 malicious variations throughout 42 @tanstack/* npm packages. Inside 48 hours the marketing campaign expanded to 172 packages throughout 403 malicious variations spanning npm and PyPI, in line with Mend’s monitoring. @tanstack/react-router alone receives 12.7 million weekly downloads. CVE-2026-45321, CVSS 9.6. OX Safety reported 518 million cumulative downloads affected. Each malicious model carried a legitimate SLSA Construct Degree 3 provenance attestation. The provenance was actual. The packages have been poisoned.
“TanStack had the best setup on paper: OIDC trusted publishing, signed provenance, 2FA on each maintainer account. The assault labored anyway,” Peyton Kennedy, senior safety researcher at Endor Labs, advised VentureBeat in an unique interview. “What the orphaned commit approach exhibits is that OIDC scope is the precise management that issues right here, not provenance, not 2FA. In case your publish pipeline trusts all the repository quite than a selected workflow on a selected department, a commit with no father or mother historical past and no department affiliation is sufficient to get a legitimate publish token. That’s a one-line configuration repair.”
Three vulnerabilities chained into one provenance-attested worm
TanStack’s postmortem lays out the kill chain. On Might 10, the attacker forked TanStack/router underneath the title zblgg/configuration, chosen to keep away from fork-list searches per Snyk’s evaluation. A pull request triggered a pull_request_target workflow that checked out fork code and ran a construct, giving the attacker code execution on TanStack’s runner. The attacker poisoned the GitHub Actions cache. When a official maintainer merged to foremost, the discharge workflow restored the poisoned cache. Attacker binaries learn /proc/pid/mem, extracted the OIDC token, and POSTed on to registry.npmjs.org. Assessments failed. Publish was skipped. 84 signed packages nonetheless reached the registry.
“Every vulnerability bridges the belief boundary the others assumed,” the postmortem states. Printed tradecraft from the March 2025 tj-actions/changed-files compromise, recombined in a brand new context.
The worm crossed from npm into PyPI inside hours
Microsoft Menace Intelligence confirmed the mistralai PyPI bundle v2.4.6 executes on import (not on set up), downloading a payload disguised as Hugging Face Transformers. npm mitigations (lockfile enforcement, –ignore-scripts) don’t cowl Python import-time execution.
Mistral AI revealed a safety advisory confirming the influence. Compromised npm packages have been out there between Might 11 at 22:45 UTC and Might 12 at 01:53 UTC (roughly three hours). The PyPI launch mistralai==2.4.6 is quarantined. Mistral acknowledged an affected developer machine was concerned however no Mistral infrastructure was compromised. SafeDep confirmed Mistral by no means launched v2.4.6; no commits landed Might 11 and no tag exists.
Wiz documented the total blast radius: 65 UiPath packages, Mistral AI SDKs, OpenSearch, Guardrails AI, 20 Squawk packages. StepSecurity attributes the marketing campaign to TeamPCP, primarily based on toolchain overlap with prior Shai-Hulud waves and the Bitwarden CLI/Trivy compromises. The worm runs underneath Bun quite than Node.js to evade Node.js safety monitoring.
The attacker handled AI coding brokers as a part of the trusted execution setting
Socket’s technical evaluation of the two.3 MB router_init.js payload identifies ten credential-collection courses operating in parallel. The worm writes persistence into .claude/ and .vscode/ directories, hooking Claude Code’s SessionStart config and VS Code’s folder-open job runner. StepSecurity’s deobfuscation confirmed the worm additionally harvests Claude and Kiro MCP server configurations (~/.claude.json, ~/.claude/mcp.json, ~/.kiro/settings/mcp.json), which retailer API keys and auth tokens for exterior providers. That is an early however confirmed occasion of supply-chain malware treating AI agent configurations as high-value credential targets. The npm token description the worm units reads: “IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner.” It isn’t a bluff.
“What stood out to me about this payload is the place it planted itself after operating,” Kennedy advised VentureBeat. “It wrote persistence hooks into Claude Code’s SessionStart config and VS Code’s folder-open job runner so it might re-execute each time a developer opened a mission, even after the npm bundle was eliminated. The attacker handled the AI coding agent as a part of the trusted execution setting, which it’s. These instruments learn your repo, run shell instructions, and have entry to the identical secrets and techniques a developer does. Securing a improvement setting now means excited about the brokers, not simply the packages.”
CI/CD Belief-Chain Audit Grid
Six gaps Mini Shai-Hulud exploited. What your CI/CD does right this moment. The management that closes every one.
Audit query | What your CI/CD does right this moment | The hole |
1. Pin OIDC trusted publishing to a selected workflow file on a selected protected department. Constrain id-token: write to solely the publish job. Make sure that job runs from a clear workspace with no restored untrusted cache | Most orgs grant OIDC belief on the repository stage. Any workflow run within the repo can request a publish token. id-token: write is commonly set on the workflow stage, not scoped to the publish job. | The worm achieved code execution contained in the official launch workflow through cache poisoning, then extracted the OIDC token from runner course of reminiscence. Department/workflow pinning alone wouldn’t have stopped this assault as a result of the malicious code was already operating contained in the pinned workflow. The whole repair requires pinning PLUS constraining id-token: write to solely the publish job PLUS guaranteeing that job makes use of a clear, unshared cache. |
2. Deal with SLSA provenance as needed however not ample. Add behavioral evaluation at set up time | Groups deal with a legitimate Sigstore provenance badge as proof a bundle is protected. npm audit signatures passes. The badge is inexperienced. Procurement and compliance workflows settle for provenance as a gate. | All 84 malicious TanStack variations carry legitimate SLSA Construct Degree 3 provenance attestations. First extensively reported npm worm with validly-attested packages. Provenance attests the place a bundle was constructed, not whether or not the construct was approved. Socket’s AI scanner flagged all 84 artifacts inside six minutes of publication. Provenance flagged zero. |
3. Isolate GitHub Actions cache per belief boundary. Invalidate caches after suspicious PRs. By no means try and execute fork code in pull_request_target workflows | Fork-triggered workflows and launch workflows share the identical cache namespace. Closing or reverting a malicious PR is handled as restoring clear state. pull_request_target is extensively used for benchmarking and bundle-size evaluation with fork PR checkout. | Attacker poisoned pnpm retailer through fork-triggered pull_request_target that checked out and executed fork code on the bottom runner. Cache survived PR closure. The following official launch workflow restored the poisoned cache on merge. actions/cache@v5 makes use of a runner-internal token for cache saves, not the workflow’s GITHUB_TOKEN, so permissions: contents: learn doesn’t stop mutation. Kennedy: 'Department safety guidelines don’t apply to commits that aren’t on any department, in order that complete layer of hardening didn’t assist.' |
4. Audit optionalDependencies in lockfiles and dependency graphs. Block github: refs pointing to non-release commits | Static evaluation and lockfile enforcement concentrate on dependencies and devDependencies. optionalDependencies with github: commit refs aren’t flagged by most instruments. | The worm injected optionalDependencies pointing to a github: orphan commit within the attacker’s fork. When npm resolves a github: dependency, it clones the referenced commit and runs lifecycle hooks (together with put together) routinely. The payload executed earlier than the primary bundle’s personal set up step accomplished. SafeDep confirmed Mistral by no means launched v2.4.6; no commits landed and no tag exists. |
5. Audit Python dependency imports individually from npm controls. Cowl AI/ML pipelines consuming guardrails-ai, mistralai, or any compromised PyPI bundle | npm mitigations (lockfile enforcement, –ignore-scripts) are utilized to the JavaScript stack. Python packages are assumed protected if pip set up completes. AI/ML CI pipelines are handled as inner testing infrastructure, not as supply-chain assault targets. | Microsoft Menace Intelligence confirmed mistralai PyPI v2.4.6 executes on import, not set up. Injected code in __init__.py downloads a payload disguised as Hugging Face Transformers. –ignore-scripts is irrelevant for Python import-time execution. guardrails-ai@0.10.1 additionally executes on import. Any agentic repo with GitHub Actions id-token: write is uncovered to the identical OIDC extraction approach. LLM API keys, vector DB credentials, and exterior service tokens all within the blast radius. |
6. Isolate and picture affected machines earlier than revoking stolen tokens. Don’t revoke npm tokens till the host is forensically preserved | Customary incident response: revoke compromised tokens first, then examine. npm token checklist and speedy revocation is the instinctive first step. | The worm installs a persistent daemon (macOS LaunchAgent / Linux systemd) that polls GitHub each 60 seconds. On detecting token revocation (40X error), it triggers rm -rf ~/, wiping the house listing. The npm token description reads: 'IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner.' Microsoft reported geofenced damaging conduct: a 1-in-6 probability of rm -rf / on programs showing to be in Israel or Iran. Kennedy: 'Even after the bundle is gone, the payload should be sitting in .claude/ with a SessionStart hook pointing at it. rm -rf node_modules doesn’t take away it.' |
Sources: TanStack postmortem, StepSecurity, Socket, Snyk, Wiz, Microsoft Menace Intelligence, Mend, Endor Labs. Might 12, 2026.
Safety director motion plan
At this time: “The quickest test is locate . -name 'router_init.js' -size +1M and grep -r '79ac49eedf774dd4b0cfa308722bc463cfe5885c' package-lock.json,” Kennedy mentioned. If both returns a success, isolate and picture the machine instantly. Don’t revoke tokens till the host is forensically preserved. The worm’s damaging daemon triggers on revocation. As soon as the machine is remoted, rotate credentials on this order: npm tokens first, then GitHub PATs, then cloud keys. Hunt for .claude/settings.json and .vscode/duties.json persistence artifacts throughout each mission that was open on the affected machine.
This week: Rotate each credential accessible from affected hosts: npm tokens, GitHub PATs, AWS keys, Vault tokens, K8s service accounts, SSH keys. Examine your packages for surprising variations after Might 11 with commits by claude@customers.noreply.github.com. Block filev2.getsession[.]org and git-tanstack[.]com.
This month: Audit each GitHub Actions workflow towards the six gaps above. Pin OIDC publishing to particular workflows on protected branches. Isolate cache keys per belief boundary. Set npm config set min-release-age=7d. For AI/ML groups: test guardrails-ai and mistralai towards compromised variations, audit CI pipelines for id-token: write publicity, and rotate each LLM API key and vector DB credential accessible from CI.
This quarter (board-level): Fund behavioral evaluation on the bundle registry layer. Provenance verification alone is not a ample procurement criterion for supply-chain safety tooling. Require CI/CD safety audits as a part of vendor danger assessments for any device with publish entry to your registries. Set up a coverage that no workflow with id-token: write runs from a shared cache. Deal with AI coding agent configurations (.claude/, .kiro/, .vscode/) as credential shops topic to the identical entry controls as cloud key vaults.
The worm is iterating. Defenders should, as properly
That is the fifth Shai-Hulud wave in eight months. 4 SAP packages turned 84 TanStack packages in two weeks. intercom-client@7.0.4 fell 29 hours later, confirming energetic propagation by stolen CI/CD infrastructure. Late on Might 12, malware analysis collective vx-underground reported that the absolutely weaponized Shai-Hulud worm code has been open-sourced. If confirmed, this implies the assault is not restricted to TeamPCP. Any risk actor can now deploy the identical cache-poisoning, OIDC-extraction, and provenance-attested publishing chain towards any npm or PyPI bundle with a misconfigured CI/CD pipeline.
“We’ve been monitoring this marketing campaign household since September 2025,” Kennedy mentioned. “Every wave has picked a higher-download goal and launched a extra technically attention-grabbing entry vector. The orphaned commit approach right here is genuinely novel. Department safety guidelines don’t apply to commits that aren’t on any department. The provision chain safety area has spent quite a lot of vitality on provenance and trusted publishing during the last two years. This assault walked straight by each of these controls as a result of the hole wasn’t within the signing. It was within the scope.”
Provenance tells you the place a bundle was constructed. It doesn’t inform you whether or not the construct was approved. That’s the hole this audit is designed to shut.
