Any growth surroundings that put in or imported one of many 172 compromised npm or PyPI packages revealed since Might 11 must be handled as probably compromised. On affected developer workstations, the worm harvests credentials from over 100 file paths: AWS keys, SSH personal keys, npm tokens, GitHub PATs, HashiCorp Vault tokens, Kubernetes service accounts, Docker configs, shell historical past, and cryptocurrency wallets. For the primary time in a TeamPCP marketing campaign, it targets password managers together with 1Password and Bitwarden, in accordance with SecurityWeek.

It steals Claude and Kiro AI agent configurations, together with MCP server auth tokens for each exterior service an agent connects to. And it does not go away when the package deal is eliminated.

The worm installs persistence in Claude Code (.claude/settings.json) and VS Code (.vscode/duties.json with runOn: folderOpen) that re-execute each venture open, plus a system daemon (macOS LaunchAgent / Linux systemd) that survives reboots. These dwell within the venture tree, not in node_modules. Uninstalling the package deal doesn’t take away them. On CI runners, the worm reads runner course of reminiscence immediately by way of /proc/pid/mem to extract secrets and techniques, together with masked ones, on Linux-based runners. When you revoke tokens earlier than isolating the machine, Wiz’s evaluation discovered a harmful daemon wipes your property listing.

Between 19:20 and 19:26 UTC on Might 11, the Mini Shai-Hulud worm revealed 84 malicious variations throughout 42 @tanstack/* npm packages. Inside 48 hours the marketing campaign expanded to 172 packages throughout 403 malicious variations spanning npm and PyPI, in accordance with Mend’s monitoring. @tanstack/react-router alone receives 12.7 million weekly downloads. CVE-2026-45321, CVSS 9.6. OX Safety reported 518 million cumulative downloads affected. Each malicious model carried a legitimate SLSA Construct Stage 3 provenance attestation. The provenance was actual. The packages had been poisoned.

“TanStack had the precise setup on paper: OIDC trusted publishing, signed provenance, 2FA on each maintainer account. The assault labored anyway,” Peyton Kennedy, senior safety researcher at Endor Labs, instructed VentureBeat in an unique interview. “What the orphaned commit approach exhibits is that OIDC scope is the precise management that issues right here, not provenance, not 2FA. In case your publish pipeline trusts your complete repository slightly than a particular workflow on a particular department, a commit with no guardian historical past and no department affiliation is sufficient to get a legitimate publish token. That’s a one-line configuration repair.”

Three vulnerabilities chained into one provenance-attested worm

TanStack’s postmortem lays out the kill chain. On Might 10, the attacker forked TanStack/router beneath the title zblgg/configuration, chosen to keep away from fork-list searches per Snyk’s evaluation. A pull request triggered a pull_request_target workflow that checked out fork code and ran a construct, giving the attacker code execution on TanStack’s runner. The attacker poisoned the GitHub Actions cache. When a professional maintainer merged to most important, the discharge workflow restored the poisoned cache. Attacker binaries learn /proc/pid/mem, extracted the OIDC token, and POSTed on to registry.npmjs.org. Exams failed. Publish was skipped. 84 signed packages nonetheless reached the registry.

“Every vulnerability bridges the belief boundary the others assumed,” the postmortem states. Printed tradecraft from the March 2025 tj-actions/changed-files compromise, recombined in a brand new context.

The worm crossed from npm into PyPI inside hours

Microsoft Risk Intelligence confirmed the mistralai PyPI package deal v2.4.6 executes on import (not on set up), downloading a payload disguised as Hugging Face Transformers. npm mitigations (lockfile enforcement, –ignore-scripts) don’t cowl Python import-time execution.

Mistral AI revealed a safety advisory confirming the affect. Compromised npm packages had been obtainable between Might 11 at 22:45 UTC and Might 12 at 01:53 UTC (roughly three hours). The PyPI launch mistralai==2.4.6 is quarantined. Mistral acknowledged an affected developer system was concerned however no Mistral infrastructure was compromised. SafeDep confirmed Mistral by no means launched v2.4.6; no commits landed Might 11 and no tag exists.

Wiz documented the complete blast radius: 65 UiPath packages, Mistral AI SDKs, OpenSearch, Guardrails AI, 20 Squawk packages. StepSecurity attributes the marketing campaign to TeamPCP, primarily based on toolchain overlap with prior Shai-Hulud waves and the Bitwarden CLI/Trivy compromises. The worm runs beneath Bun slightly than Node.js to evade Node.js safety monitoring.

The attacker handled AI coding brokers as a part of the trusted execution surroundings

Socket’s technical evaluation of the two.3 MB router_init.js payload identifies ten credential-collection lessons working in parallel. The worm writes persistence into .claude/ and .vscode/ directories, hooking Claude Code’s SessionStart config and VS Code’s folder-open process runner. StepSecurity’s deobfuscation confirmed the worm additionally harvests Claude and Kiro MCP server configurations (~/.claude.json, ~/.claude/mcp.json, ~/.kiro/settings/mcp.json), which retailer API keys and auth tokens for exterior providers. That is an early however confirmed occasion of supply-chain malware treating AI agent configurations as high-value credential targets. The npm token description the worm units reads: “IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner.” It isn’t a bluff.

“What stood out to me about this payload is the place it planted itself after working,” Kennedy instructed VentureBeat. “It wrote persistence hooks into Claude Code’s SessionStart config and VS Code’s folder-open process runner so it will re-execute each time a developer opened a venture, even after the npm package deal was eliminated. The attacker handled the AI coding agent as a part of the trusted execution surroundings, which it’s. These instruments learn your repo, run shell instructions, and have entry to the identical secrets and techniques a developer does. Securing a growth surroundings now means occupied with the brokers, not simply the packages.”

CI/CD Belief-Chain Audit Grid

Six gaps Mini Shai-Hulud exploited. What your CI/CD does immediately. The management that closes every one.

Audit query

What your CI/CD does immediately

The hole

1. Pin OIDC trusted publishing to a particular workflow file on a particular protected department. Constrain id-token: write to solely the publish job. Be sure that job runs from a clear workspace with no restored untrusted cache

Most orgs grant OIDC belief on the repository degree. Any workflow run within the repo can request a publish token. id-token: write is commonly set on the workflow degree, not scoped to the publish job.

The worm achieved code execution contained in the professional launch workflow by way of cache poisoning, then extracted the OIDC token from runner course of reminiscence. Department/workflow pinning alone wouldn’t have stopped this assault as a result of the malicious code was already working contained in the pinned workflow. The whole repair requires pinning PLUS constraining id-token: write to solely the publish job PLUS guaranteeing that job makes use of a clear, unshared cache.

2. Deal with SLSA provenance as vital however not enough. Add behavioral evaluation at set up time

Groups deal with a legitimate Sigstore provenance badge as proof a package deal is secure. npm audit signatures passes. The badge is inexperienced. Procurement and compliance workflows settle for provenance as a gate.

All 84 malicious TanStack variations carry legitimate SLSA Construct Stage 3 provenance attestations. First broadly reported npm worm with validly-attested packages. Provenance attests the place a package deal was constructed, not whether or not the construct was licensed. Socket’s AI scanner flagged all 84 artifacts inside six minutes of publication. Provenance flagged zero.

3. Isolate GitHub Actions cache per belief boundary. Invalidate caches after suspicious PRs. By no means try and execute fork code in pull_request_target workflows

Fork-triggered workflows and launch workflows share the identical cache namespace. Closing or reverting a malicious PR is handled as restoring clear state. pull_request_target is broadly used for benchmarking and bundle-size evaluation with fork PR checkout.

Attacker poisoned pnpm retailer by way of fork-triggered pull_request_target that checked out and executed fork code on the bottom runner. Cache survived PR closure. The subsequent professional launch workflow restored the poisoned cache on merge. actions/cache@v5 makes use of a runner-internal token for cache saves, not the workflow’s GITHUB_TOKEN, so permissions: contents: learn doesn’t stop mutation. Kennedy: ‘Department safety guidelines don’t apply to commits that aren’t on any department, in order that entire layer of hardening didn’t assist.’

4. Audit optionalDependencies in lockfiles and dependency graphs. Block github: refs pointing to non-release commits

Static evaluation and lockfile enforcement deal with dependencies and devDependencies. optionalDependencies with github: commit refs are usually not flagged by most instruments.

The worm injected optionalDependencies pointing to a github: orphan commit within the attacker’s fork. When npm resolves a github: dependency, it clones the referenced commit and runs lifecycle hooks (together with put together) routinely. The payload executed earlier than the principle package deal’s personal set up step accomplished. SafeDep confirmed Mistral by no means launched v2.4.6; no commits landed and no tag exists.

5. Audit Python dependency imports individually from npm controls. Cowl AI/ML pipelines consuming guardrails-ai, mistralai, or any compromised PyPI package deal

npm mitigations (lockfile enforcement, –ignore-scripts) are utilized to the JavaScript stack. Python packages are assumed secure if pip set up completes. AI/ML CI pipelines are handled as inside testing infrastructure, not as supply-chain assault targets.

Microsoft Risk Intelligence confirmed mistralai PyPI v2.4.6 executes on import, not set up. Injected code in __init__.py downloads a payload disguised as Hugging Face Transformers. –ignore-scripts is irrelevant for Python import-time execution. guardrails-ai@0.10.1 additionally executes on import. Any agentic repo with GitHub Actions id-token: write is uncovered to the identical OIDC extraction approach. LLM API keys, vector DB credentials, and exterior service tokens all within the blast radius.

6. Isolate and picture affected machines earlier than revoking stolen tokens. Don’t revoke npm tokens till the host is forensically preserved

Commonplace incident response: revoke compromised tokens first, then examine. npm token record and instant revocation is the instinctive first step.

The worm installs a persistent daemon (macOS LaunchAgent / Linux systemd) that polls GitHub each 60 seconds. On detecting token revocation (40X error), it triggers rm -rf ~/, wiping the house listing. The npm token description reads: ‘IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner.’ Microsoft reported geofenced harmful habits: a 1-in-6 likelihood of rm -rf / on methods showing to be in Israel or Iran. Kennedy: ‘Even after the package deal is gone, the payload should be sitting in .claude/ with a SessionStart hook pointing at it. rm -rf node_modules doesn’t take away it.’

Sources: TanStack postmortem, StepSecurity, Socket, Snyk, Wiz, Microsoft Risk Intelligence, Mend, Endor Labs. Might 12, 2026.

Safety director motion plan

  • Immediately: “The quickest examine is use . -name ‘router_init.js’ -size +1M and grep -r ’79ac49eedf774dd4b0cfa308722bc463cfe5885c’ package-lock.json,” Kennedy stated. If both returns a success, isolate and picture the machine instantly. Don’t revoke tokens till the host is forensically preserved. The worm’s harmful daemon triggers on revocation. As soon as the machine is remoted, rotate credentials on this order: npm tokens first, then GitHub PATs, then cloud keys. Hunt for .claude/settings.json and .vscode/duties.json persistence artifacts throughout each venture that was open on the affected machine.

  • This week: Rotate each credential accessible from affected hosts: npm tokens, GitHub PATs, AWS keys, Vault tokens, K8s service accounts, SSH keys. Verify your packages for surprising variations after Might 11 with commits by claude@customers.noreply.github.com. Block filev2.getsession[.]org and git-tanstack[.]com.

  • This month: Audit each GitHub Actions workflow towards the six gaps above. Pin OIDC publishing to particular workflows on protected branches. Isolate cache keys per belief boundary. Set npm config set min-release-age=7d. For AI/ML groups: examine guardrails-ai and mistralai towards compromised variations, audit CI pipelines for id-token: write publicity, and rotate each LLM API key and vector DB credential accessible from CI.

  • This quarter (board-level): Fund behavioral evaluation on the package deal registry layer. Provenance verification alone is not a enough procurement criterion for supply-chain safety tooling. Require CI/CD safety audits as a part of vendor threat assessments for any device with publish entry to your registries. Set up a coverage that no workflow with id-token: write runs from a shared cache. Deal with AI coding agent configurations (.claude/, .kiro/, .vscode/) as credential shops topic to the identical entry controls as cloud key vaults.

The worm is iterating. Defenders should, as nicely

That is the fifth Shai-Hulud wave in eight months. 4 SAP packages grew to become 84 TanStack packages in two weeks. intercom-client@7.0.4 fell 29 hours later, confirming energetic propagation by way of stolen CI/CD infrastructure. Late on Might 12, malware analysis collective vx-underground reported that the absolutely weaponized Shai-Hulud worm code has been open-sourced. If confirmed, this implies the assault is not restricted to TeamPCP. Any menace actor can now deploy the identical cache-poisoning, OIDC-extraction, and provenance-attested publishing chain towards any npm or PyPI package deal with a misconfigured CI/CD pipeline.

“We’ve been monitoring this marketing campaign household since September 2025,” Kennedy stated. “Every wave has picked a higher-download goal and launched a extra technically attention-grabbing entry vector. The orphaned commit approach right here is genuinely novel. Department safety guidelines don’t apply to commits that aren’t on any department. The provision chain safety area has spent numerous vitality on provenance and trusted publishing during the last two years. This assault walked straight by way of each of these controls as a result of the hole wasn’t within the signing. It was within the scope.”

Provenance tells you the place a package deal was constructed. It doesn’t let you know whether or not the construct was licensed. That’s the hole this audit is designed to shut.