How a Single Pull Request Led to the Largest npm Worm Attack of 2026: Exploring Mini Shai-Hulud

The words Innovation Explained with the ai underlined on gradient background with a data node pattern.The words Innovation Explained with the ai underlined on gradient background with a data node pattern.

A software supply chain attack occurs when a malicious actor infiltrates the tools, libraries, or build pipelines that developers depend on, injecting harmful code into otherwise trusted packages before they reach end users. These attacks are particularly dangerous because they exploit the implicit trust developers place in open-source ecosystems like npm and PyPI. The “Mini Shai-Hulud” worm, named after the sandworms of Frank Herbert’s Dune universe, represents a new and alarming escalation in this category of threat. Unlike traditional attacks that compromise a single package, this worm is self-propagating, meaning it can spread autonomously from one compromised package to dozens of others without any additional intervention from the attacker.

In this article, we’ll discuss the Mini Shai-Hulud campaign that struck the npm and PyPI ecosystems on May 11, 2026, how it compromised high-profile packages from TanStack, Mistral AI, Guardrails AI, UiPath, and OpenSearch, and what makes this attack a landmark moment in software supply chain security. We’ll break down the technical chain of exploits used, examine the unprecedented abuse of trusted build provenance systems, and explore what developers and organizations should do to protect themselves going forward.

TL;DR Snapshot

On May 11, 2026, a threat group known as TeamPCP launched the latest wave of their Mini Shai-Hulud campaign, compromising 172 unique packages across 403 malicious versions on npm and PyPI over a 48-hour window. The attack targeted the TanStack router ecosystem, which includes one of the most widely used routing libraries in the React ecosystem with approximately 12 million weekly downloads, and then spread autonomously to packages maintained by Mistral AI, Guardrails AI, UiPath, OpenSearch, and others. The worm used a sophisticated chain of GitHub Actions exploits to hijack legitimate build pipelines, publish malicious package versions, and steal credentials from every environment that installed the tainted code.

Key takeaways include…

  • The Mini Shai-Hulud worm is the first documented npm worm capable of producing packages with valid SLSA Build Level 3 provenance attestations, which means the malicious versions appeared cryptographically verified as legitimate to automated security scanners.
  • The attack compromised 42 TanStack packages and spread to over 130 additional packages across multiple ecosystems by stealing CI/CD tokens and using them to automatically infect other repositories the victims maintained.
  • The malware contained a comprehensive credential stealer targeting AWS, GCP, Kubernetes, GitHub, npm, SSH keys, cryptocurrency wallets, and AI tools, with exfiltration routed through the decentralized Session messaging network to evade detection.

Who should read this: Software developers, DevOps engineers, security professionals, open-source maintainers, and technology leaders responsible for software supply chain integrity.

How the Attack Worked: A Three-Stage Chain of Exploits

The Mini Shai-Hulud campaign didn’t rely on a single vulnerability. Instead, it chained together three distinct exploits in GitHub Actions to compromise TanStack’s legitimate publishing pipeline from the outside, without ever stealing an npm token.

According to TanStack’s official postmortem, the attack began on May 10 when the attacker created a fork of the TanStack/router repository under the GitHub account “zblgg,” deliberately renaming the fork to “configuration” to avoid appearing in fork-list searches. The next day, the attacker opened a pull request titled “WIP: simplify history build” against the main TanStack/router repository.

The first exploit leveraged the pull_request_target trigger in GitHub Actions, sometimes called a “Pwn Request.” Unlike the standard pull_request trigger, pull_request_target runs in the context of the base repository rather than the fork, which means it has access to the base repository’s secrets, caches, and permissions. As StepSecurity’s analysis detailed, the attacker used this to execute malicious code during automated benchmark workflows that ran without requiring first-time contributor approval.

The second exploit was GitHub Actions cache poisoning. During the pull request workflow run, the attacker’s code wrote a poisoned pnpm store into the GitHub Actions cache, keyed to match exactly what TanStack’s legitimate release workflow would look up on the next push to the main branch. After poisoning the cache, the attacker force-pushed the PR back to a clean state, making it appear like a harmless zero-file change, and then closed and deleted the branch. The poisoned cache, however, remained.

The third and final exploit occurred hours later when a TanStack maintainer merged a legitimate pull request. This triggered the release workflow, which restored the poisoned cache. The attacker’s code then extracted an OIDC (OpenID Connect) token directly from the GitHub Actions runner’s process memory, bypassing traditional authentication entirely. As Snyk noted, these tokens were then used to mint valid SLSA Build Level 3 provenance attestations, making the malicious packages cryptographically indistinguishable from legitimate ones.

The Worm That Spreads Itself

What truly sets Mini Shai-Hulud apart from previous supply chain attacks is its self-propagating nature. Previous waves of the campaign targeted SAP CAP packages and the Bitwarden CLI, but this latest wave demonstrated an ability to spread exponentially across the npm ecosystem.

Illustration of a trusted software package node connected to other package nodes, with red jagged paths spreading from the center to compromised packages to symbolize a self-propagating software supply chain attack.

Once the worm gained a foothold in a developer’s machine or CI/CD runner, it didn’t simply exfiltrate credentials and stop. According to Socket’s threat research, the malware actively harvested GitHub and npm tokens, then used those tokens to map out every other package the victim had maintainer permissions for. It would then automatically inject its payload into those packages, increment the version number, and republish them to npm. This is how the compromise jumped from TanStack’s 42 packages to over 170 packages spanning UiPath’s enterprise automation tools, Mistral AI’s official TypeScript and Python clients, OpenSearch packages, and smaller ecosystem packages.

The malware was bundled as a roughly 2.3 MB obfuscated file called router_init.js (or sometimes router_runtime.js), and it targeted an extraordinarily broad range of credentials. Wiz’s analysis confirmed the stealer targeted AWS IMDS and Secrets Manager, GCP metadata, Kubernetes service-account tokens, Vault tokens, npm configurations, GitHub tokens, SSH private keys, cryptocurrency wallets, and AI development tools. The stolen data was exfiltrated through the Session/Oxen decentralized messaging network, a privacy-focused service whose domains are unlikely to be blocked in enterprise environments.

The worm also established persistence mechanisms that would survive system reboots. It installed hooks into Claude Code and VS Code configurations to re-execute the stealer on every IDE launch, and it deployed a gh-token-monitor service that polled GitHub every 60 seconds to check if stolen tokens were still valid. As Wiz documented, if the monitor detected that a token had been revoked, it would attempt a destructive rm -rf ~/ operation on the host machine, functioning as a dead man’s switch.

Geopolitical Fingerprints and Destructive Payloads

The Mini Shai-Hulud campaign carries several notable geopolitical markers that provide clues about its origin and intent. As The Hacker News reported, Microsoft’s analysis of the malicious mistralai PyPI package revealed country-aware logic designed to avoid Russian-language environments, a common characteristic of malware originating from Russian-speaking threat actors.

More alarming was the discovery of a geofenced destructive branch within the Mistral AI package. Microsoft’s security intelligence team found that the malware included a one-in-six chance of executing rm -rf /, a command that recursively deletes all files on the system, specifically when the targeted system appeared to be located in Israel or Iran. Upwind’s technical analysis confirmed these geographically targeted destructive capabilities, noting that the malware identified targets through timezone and locale fingerprinting.

The guardrails-ai Python package compromise was particularly insidious. As reported by The Hacker News citing Socket’s research, the malicious code in guardrails-ai@0.10.1 executed immediately on import, not during installation. This means that simply importing the package in a Python script would trigger the download and execution of a remote payload from git-tanstack.com, a typosquat domain designed to appear legitimate.

The threat group behind the campaign, TeamPCP, has publicly taken credit for the attacks. Snyk’s reporting notes that the group is also tracked under aliases including DeadCatx3, PCPcat, ShellForce, and CipherForce, and that Unit 42 has documented the group’s partnership with the Vect ransomware operation.

A Wake-Up Call for Supply Chain Security

The TanStack compromise has been assigned CVE-2026-45321 with a critical severity CVSS score of 9.6 out of 10.0. But the significance of this attack goes beyond a single CVE, it fundamentally challenges assumptions that the open-source security community has relied on for years.

Illustration of a cracked software package moving through a security scanner, with exposed red malicious code, a shield, broken gear, and rotating keys representing compromised build provenance and secret rotation.

SLSA (Supply-chain Levels for Software Artifacts) provenance attestations were designed to be a gold standard for verifying that a package was built from trusted source code through a trusted build process. As The CyberSec Guru noted, this is the first attack to produce malicious packages with valid SLSA Build Level 3 provenance, effectively demonstrating that “signed” and “attested” packages are not inherently safe if the build pipeline itself has been compromised. The provenance was technically accurate: the package was built by the official TanStack repository on a legitimate GitHub runner. What SLSA couldn’t verify was whether the code being built was safe.

For organizations that installed any affected package versions on or after May 11, 2026, the recommended response is to treat the install environment as fully compromised. This means rotating all secrets accessible from that host, including npm tokens, GitHub tokens, AWS and GCP credentials, SSH keys, and Kubernetes service-account tokens. TanStack’s postmortem confirmed that all 84 malicious versions have been deprecated and that npm security has been engaged to pull the tainted tarballs from the registry. Importantly, TanStack also confirmed that the @tanstack/query, @tanstack/table, @tanstack/form, @tanstack/virtual, and @tanstack/store package families were not affected.

Multiple security vendors, including Semgrep, Snyk, and Socket have published detection rules and advisories. Community-maintained detection scripts are also available on GitHub. Organizations should block the command-and-control domains git-tanstack.com and *.getsession.org at the DNS or proxy level, audit lockfiles for any references to the compromised versions, and review CI/CD pipeline configurations for pull_request_target triggers that may expose similar attack surfaces.

Frequently Asked Questions

A supply chain attack is a type of cyberattack that targets the software development and distribution process rather than the end application directly. By compromising a trusted library, build tool, or package registry, attackers can inject malicious code into software that developers willingly install and deploy. This approach is especially effective because it exploits the trust relationships that exist throughout modern software ecosystems.

npm (Node Package Manager) is the world’s largest software registry, hosting over a million packages of reusable JavaScript code. Developers use npm to install, share, and manage dependencies in their projects. When a package on npm is compromised, every project that depends on it can be affected, which is why npm supply chain attacks can have such a wide blast radius.

PyPI (Python Package Index) is the official repository for Python software packages. Similar to npm for JavaScript, PyPI is where Python developers publish and download libraries. The Mini Shai-Hulud campaign compromised packages on both npm and PyPI, including the official Mistral AI and Guardrails AI Python packages.

TeamPCP is the threat group attributed with carrying out the Mini Shai-Hulud supply chain attack campaign. Also tracked under aliases DeadCatx3, PCPcat, ShellForce, and CipherForce, the group has been linked to previous attacks on SAP CAP packages, the Aqua Security Trivy scanner, and the Bitwarden CLI npm package. Security firm Unit 42 has documented the group’s partnership with the Vect ransomware operation.

TanStack is a collection of open-source JavaScript libraries widely used in modern web development. Its most popular tools include TanStack Query (for data fetching), TanStack Router (for type-safe routing), and TanStack Table (for building data tables). These libraries support React, Vue, Solid, and other JavaScript frameworks. TanStack Router, the primary target of this attack, has approximately 12 million weekly npm downloads.

GitHub Actions is a CI/CD (Continuous Integration/Continuous Deployment) platform built into GitHub that allows developers to automate build, test, and deployment workflows. The Mini Shai-Hulud attack exploited several features of GitHub Actions, including the pull_request_target trigger, the build cache system, and the OIDC token mechanism used for trusted publishing to npm.

SLSA (Supply-chain Levels for Software Artifacts, pronounced “salsa”) is a security framework created by Google that provides a set of standards for verifying the integrity of software artifacts. SLSA provenance is a cryptographic certificate, generated through the Sigstore infrastructure, that attests a package was built from a specific source repository using a verified build process. The Mini Shai-Hulud attack was the first documented case of malicious npm packages carrying valid SLSA Build Level 3 provenance.

OIDC (OpenID Connect) is an authentication protocol that allows services to verify the identity of a user or system. In the context of GitHub Actions and npm, OIDC tokens are short-lived credentials that enable a GitHub Actions workflow to publish packages to npm without storing long-lived access tokens. The attackers in the Mini Shai-Hulud campaign extracted these tokens from the GitHub Actions runner’s process memory to publish malicious packages.

Session is a decentralized, end-to-end encrypted messaging service built on the Oxen network. The Mini Shai-Hulud malware used Session’s file upload infrastructure as its primary data exfiltration channel. Because Session is a legitimate privacy-focused service, its domains are unlikely to be flagged by enterprise security tools, making it an effective method for evading network-based detection.

Other Enterprise AI Articles You May Be Interested In

Criminal Hackers Used AI to Find a Zero-Day Exploit for the First Time, Google Confirms

SpaceX Colossus 1 Deal With Anthropic: Everything You Need to Know

Why Nvidia Is Betting Big on Fiber Optics with Corning to Power the Future of AI

How SubQ’s SSA Architecture Could Make Million-Token AI Affordable

CAISI Signs Frontier AI Testing Agreements With Google DeepMind, Microsoft, and xAI: What You Need to Know