Any improvement surroundings that put in or imported one in all the 172 compromised npm or PyPI packages revealed since Might 11 needs to be handled as probably compromised. On affected developer workstations, the worm harvests credentials from over 100 file paths: AWS keys, SSH non-public keys, npm tokens, GitHub PATs, HashiCorp Vault tokens, Kubernetes service accounts, Docker configs, shell historical past, and cryptocurrency wallets. For the first time in a TeamPCP marketing campaign, it targets password managers together with 1Password and Bitwarden, in accordance to SecurityWeek.
It steals Claude and Kiro AI agent configurations, together with MCP server auth tokens for each external service an agent connects to. And it does not depart when the bundle is eliminated.
The worm installs persistence in Claude Code (.claude/settings.json) and VS Code (.vscode/duties.json with runOn: folderOpen) that re-execute each challenge open, plus a system daemon (macOS LaunchAgent / Linux systemd) that survives reboots. These dwell in the challenge tree, not in node_modules. Uninstalling the bundle does not take away them. On CI runners, the worm reads runner process memory directly through /proc/pid/mem to extract secrets and techniques, together with masked ones, on Linux-based runners. When you revoke tokens before isolating the machine, Wiz’s analysis found a damaging daemon wipes your property listing.
Between 19:20 and 19:26 UTC on Might 11, the Mini Shai-Hulud worm revealed 84 malicious variations throughout 42 @tanstack/* npm packages. Inside 48 hours the marketing campaign expanded to 172 packages throughout 403 malicious variations spanning npm and PyPI, in accordance to Mend’s tracking. @tanstack/react-router alone receives 12.7 million weekly downloads. CVE-2026-45321, CVSS 9.6. OX Security reported 518 million cumulative downloads affected. Each malicious model carried a sound SLSA Construct Degree 3 provenance attestation. The provenance was actual. The packages have been poisoned.
“TanStack had the proper setup on paper: OIDC trusted publishing, signed provenance, 2FA on each maintainer account. The assault labored anyway,” Peyton Kennedy, senior safety researcher at Endor Labs, instructed VentureBeat in an unique interview. “What the orphaned commit method exhibits is that OIDC scope is the precise management that issues right here, not provenance, not 2FA. In case your publish pipeline trusts the complete repository relatively than a selected workflow on a selected department, a commit with no mum or dad historical past and no department affiliation is sufficient to get a sound publish token. That’s a one-line configuration repair.”
Three vulnerabilities chained into one provenance-attested worm
TanStack’s postmortem lays out the kill chain. On Might 10, the attacker forked TanStack/router below the title zblgg/configuration, chosen to keep away from fork-list searches per Snyk’s analysis. A pull request triggered a pull_request_target workflow that checked out fork code and ran a construct, giving the attacker code execution on TanStack’s runner. The attacker poisoned the GitHub Actions cache. When a authentic maintainer merged to primary, the launch workflow restored the poisoned cache. Attacker binaries learn /proc/pid/mem, extracted the OIDC token, and POSTed straight to registry.npmjs.org. Assessments failed. Publish was skipped. 84 signed packages nonetheless reached the registry.
“Every vulnerability bridges the belief boundary the others assumed,” the postmortem states. Revealed tradecraft from the March 2025 tj-actions/changed-files compromise, recombined in a brand new context.
The worm crossed from npm into PyPI inside hours
Microsoft Threat Intelligence confirmed the mistralai PyPI bundle v2.4.6 executes on import (not on set up), downloading a payload disguised as Hugging Face Transformers. npm mitigations (lockfile enforcement, –ignore-scripts) do not cowl Python import-time execution.
Mistral AI revealed a security advisory confirming the influence. Compromised npm packages have been accessible between Might 11 at 22:45 UTC and Might 12 at 01:53 UTC (roughly three hours). The PyPI launch mistralai==2.4.6 is quarantined. Mistral said an affected developer gadget was concerned however no Mistral infrastructure was compromised. SafeDep confirmed Mistral by no means launched v2.4.6; no commits landed Might 11 and no tag exists.
Wiz documented the full blast radius: 65 UiPath packages, Mistral AI SDKs, OpenSearch, Guardrails AI, 20 Squawk packages. StepSecurity attributes the marketing campaign to TeamPCP, primarily based on toolchain overlap with prior Shai-Hulud waves and the Bitwarden CLI/Trivy compromises. The worm runs under Bun rather than Node.js to evade Node.js safety monitoring.
The attacker handled AI coding brokers as a part of the trusted execution surroundings
Socket’s technical analysis of the 2.3 MB router_init.js payload identifies ten credential-collection courses operating in parallel. The worm writes persistence into .claude/ and .vscode/ directories, hooking Claude Code’s SessionStart config and VS Code’s folder-open activity runner. StepSecurity’s deobfuscation confirmed the worm additionally harvests Claude and Kiro MCP server configurations (~/.claude.json, ~/.claude/mcp.json, ~/.kiro/settings/mcp.json), which retailer API keys and auth tokens for external companies. This is an early however confirmed occasion of supply-chain malware treating AI agent configurations as high-value credential targets. The npm token description the worm units reads: “IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner.” It is not a bluff.
“What stood out to me about this payload is the place it planted itself after operating,” Kennedy instructed VentureBeat. “It wrote persistence hooks into Claude Code’s SessionStart config and VS Code’s folder-open activity runner so it will re-execute each time a developer opened a challenge, even after the npm bundle was eliminated. The attacker handled the AI coding agent as a part of the trusted execution surroundings, which it is. These instruments learn your repo, run shell instructions, and have entry to the similar secrets and techniques a developer does. Securing a improvement surroundings now means fascinated with the brokers, not simply the packages.”
CI/CD Belief-Chain Audit Grid
Six gaps Mini Shai-Hulud exploited. What your CI/CD does right now. The management that closes every one.
|
Audit query |
What your CI/CD does right now |
The hole |
|
1. Pin OIDC trusted publishing to a selected workflow file on a selected protected department. Constrain id-token: write to solely the publish job. Be sure that job runs from a clear workspace with no restored untrusted cache |
Most orgs grant OIDC belief at the repository stage. Any workflow run in the repo can request a publish token. id-token: write is usually set at the workflow stage, not scoped to the publish job. |
The worm achieved code execution inside the authentic launch workflow through cache poisoning, then extracted the OIDC token from runner course of reminiscence. Department/workflow pinning alone would not have stopped this assault as a result of the malicious code was already operating inside the pinned workflow. The entire repair requires pinning PLUS constraining id-token: write to solely the publish job PLUS making certain that job makes use of a clear, unshared cache. |
|
2. Deal with SLSA provenance as essential however not adequate. Add behavioral evaluation at set up time |
Groups deal with a sound Sigstore provenance badge as proof a bundle is secure. npm audit signatures passes. The badge is inexperienced. Procurement and compliance workflows settle for provenance as a gate. |
All 84 malicious TanStack variations carry legitimate SLSA Construct Degree 3 provenance attestations. First extensively reported npm worm with validly-attested packages. Provenance attests the place a bundle was constructed, not whether or not the construct was licensed. Socket’s AI scanner flagged all 84 artifacts inside six minutes of publication. Provenance flagged zero. |
|
3. Isolate GitHub Actions cache per belief boundary. Invalidate caches after suspicious PRs. By no means try and execute fork code in pull_request_target workflows |
Fork-triggered workflows and launch workflows share the similar cache namespace. Closing or reverting a malicious PR is handled as restoring clear state. pull_request_target is extensively used for benchmarking and bundle-size evaluation with fork PR checkout. |
Attacker poisoned pnpm retailer through fork-triggered pull_request_target that checked out and executed fork code on the base runner. Cache survived PR closure. The subsequent authentic launch workflow restored the poisoned cache on merge. actions/cache@v5 makes use of a runner-internal token for cache saves, not the workflow’s GITHUB_TOKEN, so permissions: contents: learn does not stop mutation. Kennedy: ‘Department safety guidelines don’t apply to commits that aren’t on any department, in order that complete layer of hardening didn’t assist.’ |
|
4. Audit optionalDependencies in lockfiles and dependency graphs. Block github: refs pointing to non-release commits |
Static evaluation and lockfile enforcement focus on dependencies and devDependencies. optionalDependencies with github: commit refs are not flagged by most instruments. |
The worm injected optionalDependencies pointing to a github: orphan commit in the attacker’s fork. When npm resolves a github: dependency, it clones the referenced commit and runs lifecycle hooks (together with put together) robotically. The payload executed before the primary bundle’s personal set up step accomplished. SafeDep confirmed Mistral by no means launched v2.4.6; no commits landed and no tag exists. |
|
5. Audit Python dependency imports individually from npm controls. Cowl AI/ML pipelines consuming guardrails-ai, mistralai, or any compromised PyPI bundle |
npm mitigations (lockfile enforcement, –ignore-scripts) are utilized to the JavaScript stack. Python packages are assumed secure if pip set up completes. AI/ML CI pipelines are handled as inner testing infrastructure, not as supply-chain assault targets. |
Microsoft Risk Intelligence confirmed mistralai PyPI v2.4.6 executes on import, not set up. Injected code in __init__.py downloads a payload disguised as Hugging Face Transformers. –ignore-scripts is irrelevant for Python import-time execution. [email protected] additionally executes on import. Any agentic repo with GitHub Actions id-token: write is uncovered to the similar OIDC extraction method. LLM API keys, vector DB credentials, and external service tokens all in the blast radius. |
|
6. Isolate and picture affected machines before revoking stolen tokens. Do not revoke npm tokens till the host is forensically preserved |
Normal incident response: revoke compromised tokens first, then examine. npm token checklist and instant revocation is the instinctive first step. |
The worm installs a persistent daemon (macOS LaunchAgent / Linux systemd) that polls GitHub each 60 seconds. On detecting token revocation (40X error), it triggers rm -rf ~/, wiping the residence listing. The npm token description reads: ‘IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner.’ Microsoft reported geofenced damaging conduct: a 1-in-6 probability of rm -rf / on methods showing to be in Israel or Iran. Kennedy: ‘Even after the bundle is gone, the payload should still be sitting in .claude/ with a SessionStart hook pointing at it. rm -rf node_modules doesn’t take away it.’ |
Sources: TanStack postmortem, StepSecurity, Socket, Snyk, Wiz, Microsoft Risk Intelligence, Mend, Endor Labs. Might 12, 2026.
Safety director motion plan
-
At present: “The quickest test is discover . -name ‘router_init.js’ -size +1M and grep -r ’79ac49eedf774dd4b0cfa308722bc463cfe5885c’ package-lock.json,” Kennedy mentioned. If both returns successful, isolate and picture the machine instantly. Do not revoke tokens till the host is forensically preserved. The worm’s damaging daemon triggers on revocation. As soon as the machine is remoted, rotate credentials on this order: npm tokens first, then GitHub PATs, then cloud keys. Hunt for .claude/settings.json and .vscode/duties.json persistence artifacts throughout each challenge that was open on the affected machine.
-
This week: Rotate each credential accessible from affected hosts: npm tokens, GitHub PATs, AWS keys, Vault tokens, K8s service accounts, SSH keys. Test your packages for surprising variations after Might 11 with commits by [email protected]. Block filev2.getsession[.]org and git-tanstack[.]com.
-
This month: Audit each GitHub Actions workflow in opposition to the six gaps above. Pin OIDC publishing to particular workflows on protected branches. Isolate cache keys per belief boundary. Set npm config set min-release-age=7d. For AI/ML groups: test guardrails-ai and mistralai in opposition to compromised variations, audit CI pipelines for id-token: write publicity, and rotate each LLM API key and vector DB credential accessible from CI.
-
This quarter (board-level): Fund behavioral evaluation at the bundle registry layer. Provenance verification alone is now not a adequate procurement criterion for supply-chain safety tooling. Require CI/CD safety audits as a part of vendor threat assessments for any software with publish entry to your registries. Set up a coverage that no workflow with id-token: write runs from a shared cache. Deal with AI coding agent configurations (.claude/, .kiro/, .vscode/) as credential shops topic to the similar entry controls as cloud key vaults.
The worm is iterating. Defenders should, as properly
This is the fifth Shai-Hulud wave in eight months. 4 SAP packages turned 84 TanStack packages in two weeks. [email protected] fell 29 hours later, confirming energetic propagation by stolen CI/CD infrastructure. Late on Might 12, malware analysis collective vx-underground reported that the totally weaponized Shai-Hulud worm code has been open-sourced. If confirmed, this implies the assault is now not restricted to TeamPCP. Any risk actor can now deploy the similar cache-poisoning, OIDC-extraction, and provenance-attested publishing chain in opposition to any npm or PyPI bundle with a misconfigured CI/CD pipeline.
“We’ve been monitoring this marketing campaign household since September 2025,” Kennedy mentioned. “Every wave has picked a higher-download goal and launched a extra technically attention-grabbing entry vector. The orphaned commit method right here is genuinely novel. Department safety guidelines don’t apply to commits that aren’t on any department. The availability chain safety area has spent quite a lot of power on provenance and trusted publishing over the final two years. This assault walked straight by each of these controls as a result of the hole wasn’t in the signing. It was in the scope.”
Provenance tells you the place a bundle was constructed. It does not let you know whether or not the construct was licensed. That is the hole this audit is designed to shut.
Disclaimer: This article is sourced from external platforms. OverBeta has not independently verified the information. Readers are advised to verify details before relying on them.
