Mini Shai-Hulud Supply Chain Campaign Compromises 1,800+ npm/PyPI Developers Across TanStack, SAP, Intercom, Mistral AI
A coordinated supply-chain attack dubbed "Mini Shai-Hulud" hit 1,800+ npm and PyPI developers over multiple May 18 victim batches, targeting TanStack, SAP, Intercom, Mistral AI, Guardrails AI, Lightning, and hijacked OIDC tokens to sign malicious packages with valid provenance.
A sophisticated, coordinated supply chain attack named Mini Shai-Hulud has compromised over 170 packages across the NPM and PyPI packages, targeting high-profile projects including TanStack, UiPath, Mistral AI, the OpenSearch JavaScript client, Guardrails AI, and Squawk. The campaign, attributed to the notorious hacking group TeamPCP, marks a significant escalation in supply chain attack techniques by chaining three known vulnerability classes to hijack legitimate CI/CD pipelines and publish malicious artifacts with valid SLSA provenance.
The attack chain exploited a `pull_request_target` misconfiguration, GitHub Actions cache poisoning across the fork-to-base trust boundary, and runtime memory extraction of OIDC tokens from the Actions runner process. In the TanStack compromise, attackers forked the TanStack/router repository, renamed it to `zblgg/configuration`, and opened a pull request that triggered the vulnerable workflow. When legitimate maintainer PRs were later merged, the poisoned cache restored attacker-controlled binaries that extracted OIDC tokens directly from the runner's process memory. The stolen tokens allowed attackers to obtain Sigstore signing certificates, making malicious packages appear to have valid SLSA provenance — a cryptographic guarantee meant to verify a package was built from a trusted source.
Across all 42 compromised TanStack packages, a 2.3 MB obfuscated JavaScript implant named `router_init.js` was injected directly into each tarball. The multi-stage credential stealer fingerprints the environment, systematically harvests credentials from environment variables and API calls across cloud-native CI platforms, and exfiltrates data via three channels: a dedicated domain (`git-tanstack[.]com`), the Session decentralized messaging network, and Dune-themed GitHub repositories created using stolen tokens. The Session network channel is new to TeamPCP's arsenal and is significantly harder to disrupt than traditional exfiltration via traditional domains or GitHub.
The Python variant of the attack targeted Guardrails AI and Mistral AI PyPI packages with a different payload. Guardrails AI received 13 lines of new code that fetches and executes a modular credential stealer from `git-tanstack[.]com`. This payload, which only executes on Linux systems, expands its targeting to include password managers such as 1Password and Bitwarden for the first time. Notably, on systems with Israel or Iran locales, the malware attempts to play an MP3 file at full volume and delete system files.
The worm propagates by using compromised NPM propagation via the GitHub Actions OIDC federation mechanism, minting valid NPM publish tokens on behalf of the compromised CI identity. It also uses the GitHub GraphQL API to commit copies of itself to branches of compromised maintainers' source repositories, with the commit author spoofed to impersonate the Anthropic Claude Code GitHub App. Additionally, the malware installs a persistent daemon that polls GitHub every minute to check for token revocation and checks system language to avoid infecting Russian users.
Security firms Wiz, StepSecurity, Socket, and Snyk have published detailed analyses of the attack. The campaign's dead-drop commit branch names are taken from Frank Herbert's Dune saga, and the malware repositories carry the description "Shai-Hulud: Here We Go Again," consistent with TeamPCP's previous campaigns. TeamPCP has been responsible for multiple supply chain attacks across open source ecosystems over the past several months.
The Mini Shai-Hulud campaign underscores the growing sophistication of supply chain attacks that target the software build and distribution pipeline itself. By exploiting trusted CI/CD mechanisms and cryptographic provenance systems, attackers can bypass traditional security controls and distribute malware under the guise of legitimate, verified software. Organizations using affected packages should immediately audit their dependencies, rotate any potentially compromised tokens, and review CI/CD workflow configurations for the specific vulnerability patterns exploited in this attack.
The latest wave specifically targets the @antv npm ecosystem, compromising the maintainer account 'atool' to push malicious versions of echarts-for-react (~1.1M weekly downloads) and dozens of other packages. Socket reports 639 malicious versions across 323 unique packages were published in a 22-minute automated burst, with the credential-stealer payload now also attempting Docker container escape via stolen npm tokens to self-replicate by injecting malicious code into other packages maintained by the compromised account.
A new wave of the Shai-Hulud campaign published 639 malicious versions across 323 unique npm packages in about one hour, primarily targeting the @antv ecosystem but also affecting popular libraries like echarts-for-react and timeago.js. The updated payload now generates valid Sigstore provenance attestations by abusing OIDC tokens from compromised CI environments, making malicious packages appear legitimately signed. The attacker has also created over 2,700 rogue GitHub repositories using stolen tokens to exfiltrate data, and the campaign's code was recently leaked by the TeamPCP group, complicating attribution.