Any improvement setting that put in or imported one of many 172 compromised npm or PyPI packages revealed since Might 11 ought to be handled as doubtlessly compromised. On affected developer workstations, the worm harvests credentials from over 100 file paths: AWS keys, SSH personal keys, npm tokens, GitHub PATs, HashiCorp Vault tokens, Kubernetes service accounts, Docker configs, shell historical past, and cryptocurrency wallets. For the primary time in a TeamPCP marketing campaign, it targets password managers together with 1Password and Bitwarden, in keeping with SecurityWeek.
It steals Claude and Kiro AI agent configurations, together with MCP server auth tokens for each exterior service an agent connects to. And it does not go away when the bundle is eliminated.
The worm installs persistence in Claude Code (.claude/settings.json) and VS Code (.vscode/duties.json with runOn: folderOpen) that re-execute each venture open, plus a system daemon (macOS LaunchAgent / Linux systemd) that survives reboots. These stay within the venture tree, not in node_modules. Uninstalling the bundle doesn’t take away them. On CI runners, the worm reads runner course of reminiscence straight through /proc/pid/mem to extract secrets and techniques, together with masked ones, on Linux-based runners. If you happen to revoke tokens earlier than isolating the machine, Wiz’s evaluation discovered a damaging daemon wipes your own home listing.
Between 19:20 and 19:26 UTC on Might 11, the Mini Shai-Hulud worm revealed 84 malicious variations throughout 42 @tanstack/* npm packages. Inside 48 hours the marketing campaign expanded to 172 packages throughout 403 malicious variations spanning npm and PyPI, in keeping with Mend’s monitoring. @tanstack/react-router alone receives 12.7 million weekly downloads. CVE-2026-45321, CVSS 9.6. OX Safety reported 518 million cumulative downloads affected. Each malicious model carried a sound SLSA Construct Degree 3 provenance attestation. The provenance was actual. The packages have been poisoned.
“TanStack had the appropriate setup on paper: OIDC trusted publishing, signed provenance, 2FA on each maintainer account. The assault labored anyway,” Peyton Kennedy, senior safety researcher at Endor Labs, advised VentureBeat in an unique interview. “What the orphaned commit approach exhibits is that OIDC scope is the precise management that issues right here, not provenance, not 2FA. In case your publish pipeline trusts the whole repository quite than a selected workflow on a selected department, a commit with no guardian historical past and no department affiliation is sufficient to get a sound publish token. That’s a one-line configuration repair.”
Three vulnerabilities chained into one provenance-attested worm
TanStack’s postmortem lays out the kill chain. On Might 10, the attacker forked TanStack/router below the title zblgg/configuration, chosen to keep away from fork-list searches per Snyk’s evaluation. A pull request triggered a pull_request_target workflow that checked out fork code and ran a construct, giving the attacker code execution on TanStack’s runner. The attacker poisoned the GitHub Actions cache. When a authentic maintainer merged to foremost, the discharge workflow restored the poisoned cache. Attacker binaries learn /proc/pid/mem, extracted the OIDC token, and POSTed on to registry.npmjs.org. Checks failed. Publish was skipped. 84 signed packages nonetheless reached the registry.
“Every vulnerability bridges the belief boundary the others assumed,” the postmortem states. Revealed tradecraft from the March 2025 tj-actions/changed-files compromise, recombined in a brand new context.
The worm crossed from npm into PyPI inside hours
Microsoft Menace Intelligence confirmed the mistralai PyPI bundle v2.4.6 executes on import (not on set up), downloading a payload disguised as Hugging Face Transformers. npm mitigations (lockfile enforcement, –ignore-scripts) don’t cowl Python import-time execution.
Mistral AI revealed a safety advisory confirming the influence. Compromised npm packages have been obtainable between Might 11 at 22:45 UTC and Might 12 at 01:53 UTC (roughly three hours). The PyPI launch mistralai==2.4.6 is quarantined. Mistral said an affected developer machine was concerned however no Mistral infrastructure was compromised. SafeDep confirmed Mistral by no means launched v2.4.6; no commits landed Might 11 and no tag exists.
Wiz documented the total blast radius: 65 UiPath packages, Mistral AI SDKs, OpenSearch, Guardrails AI, 20 Squawk packages. StepSecurity attributes the marketing campaign to TeamPCP, primarily based on toolchain overlap with prior Shai-Hulud waves and the Bitwarden CLI/Trivy compromises. The worm runs below Bun quite than Node.js to evade Node.js safety monitoring.
The attacker handled AI coding brokers as a part of the trusted execution setting
Socket’s technical evaluation of the two.3 MB router_init.js payload identifies ten credential-collection courses operating in parallel. The worm writes persistence into .claude/ and .vscode/ directories, hooking Claude Code’s SessionStart config and VS Code’s folder-open job runner. StepSecurity’s deobfuscation confirmed the worm additionally harvests Claude and Kiro MCP server configurations (~/.claude.json, ~/.claude/mcp.json, ~/.kiro/settings/mcp.json), which retailer API keys and auth tokens for exterior providers. That is an early however confirmed occasion of supply-chain malware treating AI agent configurations as high-value credential targets. The npm token description the worm units reads: “IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner.” It’s not a bluff.
“What stood out to me about this payload is the place it planted itself after operating,” Kennedy advised VentureBeat. “It wrote persistence hooks into Claude Code’s SessionStart config and VS Code’s folder-open job runner so it will re-execute each time a developer opened a venture, even after the npm bundle was eliminated. The attacker handled the AI coding agent as a part of the trusted execution setting, which it’s. These instruments learn your repo, run shell instructions, and have entry to the identical secrets and techniques a developer does. Securing a improvement setting now means fascinated about the brokers, not simply the packages.”
CI/CD Belief-Chain Audit Grid
Six gaps Mini Shai-Hulud exploited. What your CI/CD does as we speak. The management that closes every one.
|
Audit query |
What your CI/CD does as we speak |
The hole |
|
1. Pin OIDC trusted publishing to a selected workflow file on a selected protected department. Constrain id-token: write to solely the publish job. Make sure that job runs from a clear workspace with no restored untrusted cache |
Most orgs grant OIDC belief on the repository degree. Any workflow run within the repo can request a publish token. id-token: write is usually set on the workflow degree, not scoped to the publish job. |
The worm achieved code execution contained in the authentic launch workflow through cache poisoning, then extracted the OIDC token from runner course of reminiscence. Department/workflow pinning alone wouldn’t have stopped this assault as a result of the malicious code was already operating contained in the pinned workflow. The whole repair requires pinning PLUS constraining id-token: write to solely the publish job PLUS guaranteeing that job makes use of a clear, unshared cache. |
|
2. Deal with SLSA provenance as needed however not ample. Add behavioral evaluation at set up time |
Groups deal with a sound Sigstore provenance badge as proof a bundle is secure. npm audit signatures passes. The badge is inexperienced. Procurement and compliance workflows settle for provenance as a gate. |
All 84 malicious TanStack variations carry legitimate SLSA Construct Degree 3 provenance attestations. First broadly reported npm worm with validly-attested packages. Provenance attests the place a bundle was constructed, not whether or not the construct was licensed. Socket’s AI scanner flagged all 84 artifacts inside six minutes of publication. Provenance flagged zero. |
|
3. Isolate GitHub Actions cache per belief boundary. Invalidate caches after suspicious PRs. By no means try and execute fork code in pull_request_target workflows |
Fork-triggered workflows and launch workflows share the identical cache namespace. Closing or reverting a malicious PR is handled as restoring clear state. pull_request_target is broadly used for benchmarking and bundle-size evaluation with fork PR checkout. |
Attacker poisoned pnpm retailer through fork-triggered pull_request_target that checked out and executed fork code on the bottom runner. Cache survived PR closure. The subsequent authentic launch workflow restored the poisoned cache on merge. actions/cache@v5 makes use of a runner-internal token for cache saves, not the workflow’s GITHUB_TOKEN, so permissions: contents: learn doesn’t forestall mutation. Kennedy: ‘Department safety guidelines don’t apply to commits that aren’t on any department, in order that entire layer of hardening didn’t assist.’ |
|
4. Audit optionalDependencies in lockfiles and dependency graphs. Block github: refs pointing to non-release commits |
Static evaluation and lockfile enforcement concentrate on dependencies and devDependencies. optionalDependencies with github: commit refs are usually not flagged by most instruments. |
The worm injected optionalDependencies pointing to a github: orphan commit within the attacker’s fork. When npm resolves a github: dependency, it clones the referenced commit and runs lifecycle hooks (together with put together) mechanically. The payload executed earlier than the principle bundle’s personal set up step accomplished. SafeDep confirmed Mistral by no means launched v2.4.6; no commits landed and no tag exists. |
|
5. Audit Python dependency imports individually from npm controls. Cowl AI/ML pipelines consuming guardrails-ai, mistralai, or any compromised PyPI bundle |
npm mitigations (lockfile enforcement, –ignore-scripts) are utilized to the JavaScript stack. Python packages are assumed secure if pip set up completes. AI/ML CI pipelines are handled as inside testing infrastructure, not as supply-chain assault targets. |
Microsoft Menace Intelligence confirmed mistralai PyPI v2.4.6 executes on import, not set up. Injected code in __init__.py downloads a payload disguised as Hugging Face Transformers. –ignore-scripts is irrelevant for Python import-time execution. guardrails-ai@0.10.1 additionally executes on import. Any agentic repo with GitHub Actions id-token: write is uncovered to the identical OIDC extraction approach. LLM API keys, vector DB credentials, and exterior service tokens all within the blast radius. |
|
6. Isolate and picture affected machines earlier than revoking stolen tokens. Don’t revoke npm tokens till the host is forensically preserved |
Normal incident response: revoke compromised tokens first, then examine. npm token checklist and rapid revocation is the instinctive first step. |
The worm installs a persistent daemon (macOS LaunchAgent / Linux systemd) that polls GitHub each 60 seconds. On detecting token revocation (40X error), it triggers rm -rf ~/, wiping the house listing. The npm token description reads: ‘IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner.’ Microsoft reported geofenced damaging habits: a 1-in-6 likelihood of rm -rf / on techniques showing to be in Israel or Iran. Kennedy: ‘Even after the bundle is gone, the payload should still be sitting in .claude/ with a SessionStart hook pointing at it. rm -rf node_modules doesn’t take away it.’ |
Sources: TanStack postmortem, StepSecurity, Socket, Snyk, Wiz, Microsoft Menace Intelligence, Mend, Endor Labs. Might 12, 2026.
Safety director motion plan
-
At this time: “The quickest verify is use . -name ‘router_init.js’ -size +1M and grep -r ’79ac49eedf774dd4b0cfa308722bc463cfe5885c’ package-lock.json,” Kennedy mentioned. If both returns successful, isolate and picture the machine instantly. Don’t revoke tokens till the host is forensically preserved. The worm’s damaging daemon triggers on revocation. As soon as the machine is remoted, rotate credentials on this order: npm tokens first, then GitHub PATs, then cloud keys. Hunt for .claude/settings.json and .vscode/duties.json persistence artifacts throughout each venture that was open on the affected machine.
-
This week: Rotate each credential accessible from affected hosts: npm tokens, GitHub PATs, AWS keys, Vault tokens, K8s service accounts, SSH keys. Test your packages for surprising variations after Might 11 with commits by claude@customers.noreply.github.com. Block filev2.getsession[.]org and git-tanstack[.]com.
-
This month: Audit each GitHub Actions workflow in opposition to the six gaps above. Pin OIDC publishing to particular workflows on protected branches. Isolate cache keys per belief boundary. Set npm config set min-release-age=7d. For AI/ML groups: verify guardrails-ai and mistralai in opposition to compromised variations, audit CI pipelines for id-token: write publicity, and rotate each LLM API key and vector DB credential accessible from CI.
-
This quarter (board-level): Fund behavioral evaluation on the bundle registry layer. Provenance verification alone is not a ample procurement criterion for supply-chain safety tooling. Require CI/CD safety audits as a part of vendor danger assessments for any software with publish entry to your registries. Set up a coverage that no workflow with id-token: write runs from a shared cache. Deal with AI coding agent configurations (.claude/, .kiro/, .vscode/) as credential shops topic to the identical entry controls as cloud key vaults.
The worm is iterating. Defenders should, as effectively
That is the fifth Shai-Hulud wave in eight months. 4 SAP packages grew to become 84 TanStack packages in two weeks. intercom-client@7.0.4 fell 29 hours later, confirming lively propagation by means of stolen CI/CD infrastructure. Late on Might 12, malware analysis collective vx-underground reported that the totally weaponized Shai-Hulud worm code has been open-sourced. If confirmed, this implies the assault is not restricted to TeamPCP. Any menace actor can now deploy the identical cache-poisoning, OIDC-extraction, and provenance-attested publishing chain in opposition to any npm or PyPI bundle with a misconfigured CI/CD pipeline.
“We’ve been monitoring this marketing campaign household since September 2025,” Kennedy mentioned. “Every wave has picked a higher-download goal and launched a extra technically attention-grabbing entry vector. The orphaned commit approach right here is genuinely novel. Department safety guidelines don’t apply to commits that aren’t on any department. The availability chain safety house has spent a variety of power on provenance and trusted publishing during the last two years. This assault walked straight by means of each of these controls as a result of the hole wasn’t within the signing. It was within the scope.”
Provenance tells you the place a bundle was constructed. It doesn’t let you know whether or not the construct was licensed. That’s the hole this audit is designed to shut.