Mini Shai-Hulud Worm: Critical Supply Chain Attack Hits TanStack and npm Ecosystem
These articles are AI-generated summaries. Please check the original sources for full details.
Mini Shai-Hulud: un gusano de cadena de suministro que explotó TanStack y el ecosistema npm.
The Mini Shai-Hulud campaign, orchestrated by TeamPCP, compromised over 170 packages including TanStack and Mistral AI. The attack utilized a credential-stealing worm with a critical CVSS severity of 9.6.
Why This Matters
This incident demonstrates that SLSA provenance and cryptographic signatures are insufficient if the CI/CD pipeline itself is compromised. By extracting OIDC tokens from memory, attackers can publish malicious code that appears legitimate to automated security scanners, effectively turning trusted infrastructure against its maintainers.
Key Insights
- Over 170 packages and 500 million downloads were affected by the CVE-2026-45321 vulnerability in 2026.
- Attackers extracted OIDC tokens from GitHub Actions runner memory (/proc/*/mem) to bypass MFA during npm publishing.
- The malware established persistence via VS Code and Claude Code configurations using hidden setup scripts.
- A PyPI variant targeted guardrails-ai and mistralai, showing the cross-ecosystem nature of the TeamPCP group.
- Traditional static scanners failed to detect the malware due to runtime obfuscation and second-stage payload delivery.
Working Examples
Malicious prepare script injected into the @tanstack/setup package to trigger the worm.
{\n \"scripts\": {\n \"prepare\": \"bun run tanstack_runner.js\"\n }\n}Practical Applications
- Use Case: Implementing GitHub Actions hardening by restricting OIDC scopes to specific deployment jobs. Pitfall: Allowing pull_request_target to run on unvalidated forks, leading to cache poisoning.
- Use Case: Rotating all secrets (AWS, GCP, npm) immediately if a vulnerable package version was installed in CI. Pitfall: Failing to remove local persistence files like .vscode/setup.mjs, allowing reinfection.
References:
Continue reading
Next article
Open-Source Multi-Agent AI Pipeline with 12 Agents and 5 Quality Gates
Related Content
npm Worm Shai-Hulud Strikes Again, Compromising 27,000 GitHub Repos
The Shai-Hulud npm worm resurfaces, stealing 3,760 valid secrets from 27,000 GitHub repositories in a supply chain attack.
Compromised dYdX npm and PyPI Packages Deliver Malware
Compromised dYdX npm and PyPI packages delivered wallet-stealing malware and a RAT via poisoned updates in a software supply chain attack, affecting over $1.5 trillion in cumulative trading volume.
LiteLLM Supply Chain Attack: How Unpinned Dependencies Compromised 3.4M Daily Downloads
On March 24, 2026, LiteLLM (3.4M daily downloads) was backdoored via PyPI. Attackers harvested cloud credentials, SSH keys, and Kubernetes tokens via a poisoned build.