Mini Shai-Hulud Worm Hits TanStack, Mistral AI in Supply Chain Attack

A sophisticated, self-propagating worm has compromised hundreds of npm and PyPI package versions, including widely used libraries from TanStack, Mistral AI, OpenSearch, and Guardrails AI. The attack, dubbed Mini Shai-Hulud, injects a credential-harvesting payload that autonomously publishes new infected versions of any package the stolen credentials can access. The campaign, now assigned CVE-2026-45321 (CVSS 9.6 Critical), has grown to 172 unique packages across 403 malicious versions on npm and PyPI. Security researchers at Aikido Security and Mend documented the second wave of the campaign on May 12, 2026, initially tracking 373 versions across 169 npm packages [1][7].

A Self-Propagating Worm Spreads Across npm

The campaign's scale is significant, targeting developer and enterprise AI tooling. Compromised namespaces include @tanstack with 83 npm entries (42 unique packages, 84 malicious versions), @squawk with 87, and the enterprise automation platform @uipath with 66 [3]. The popular @tanstack/react-router, with over 12 million weekly downloads, is among the affected packages. The official OpenSearch JavaScript client — with 1.3 million weekly downloads — was hit across four versions (3.5.3, 3.6.2, 3.7.0, 3.8.0). Guardrails AI's packages on PyPI were also compromised, extending the attack beyond npm for the first time in this campaign [7][8].

This follows a smaller first wave in April 2026 that targeted SAP-related packages with a similar mechanism [2].

The inclusion of multiple @mistralai packages on both npm and PyPI marks a direct compromise of the AI inference toolchain. The PyPI payload for mistralai==2.4.6 used a different technique: a cleartext backdoor appended to __init__.py that fetches a second-stage payload from a hardcoded IP address. This dual-registry approach elevates the incident from a standard software supply-chain attack to a critical AI security event spanning the entire AI development toolchain [7].

Attack Mechanics: The Lifecycle Script Trap

The attack chain begins with a malicious entry in an infected package's `package.json` file. The threat actor, tracked as TeamPCP, added an optional dependency pointing to a specific commit hash in an attacker-controlled GitHub repository. This dependency appears legitimate at first glance but is the entry point for the payload [4].

When the npm client attempts to install this optional dependency, it executes a `prepare` lifecycle script defined in the attacker's repository. This script uses the Bun runtime to execute a JavaScript payload named `tanstack_runner.js`. The script concludes with `exit 1`, which causes the optional dependency installation to fail. This failure masks the attack, as npm continues the installation process without reporting a critical error, while the payload has already executed [6].

The executed payload is a comprehensive credential harvester. It systematically searches the build environment for a wide range of secrets. These include GitHub personal access and Actions tokens, npm automation tokens, and short-lived GitHub Actions OIDC tokens. The script also queries for cloud credentials from AWS instance metadata endpoints, Kubernetes service account files, and HashiCorp Vault tokens. All discovered secrets and environment variables are exfiltrated to an attacker-controlled server [1].

With harvested credentials in hand, the worm enters its propagation phase. If a stolen npm token has publish permissions, the payload autonomously injects itself into every package the token can modify. It programmatically bumps the package's patch version, bundles the malicious `optionalDependencies` entry, and publishes the new, infected version to the npm registry. This automated cycle allows the worm to spread without further direct intervention from the attacker [5].

How the Worm Bypassed SLSA Provenance

This attack is the first documented npm worm to produce packages that carry valid SLSA Build Level 3 provenance attestations. SLSA BL3 is the highest level of software supply-chain integrity widely used in the npm ecosystem. It is designed to provide strong guarantees that a package was built from a specific source repository by a trusted build platform, such as GitHub Actions [1].

The worm bypasses this control by operating inside the trusted boundary that provenance validates. GitHub Actions' OIDC-based trusted publishing correctly attests that the package was built in the legitimate repository's workflow. However, the attestation does not and cannot verify the safety of the code that ran *during* the build. The Mini Shai-Hulud payload executes within the compromised workflow, steals an OIDC token, and publishes a malicious package that is then correctly signed with valid provenance.

"Provenance can tell you where the package was built. It does not prove the build was safe."

Aikido Security Analysis [1]

This case highlights a critical limitation of artifact provenance. It is an effective control against attacks where an adversary tries to publish a package from an unauthorized location. It offers no protection against attacks that compromise the build process itself, such as lifecycle script injection or in-workflow credential theft.

Root Cause Confirmed: A Three-Stage GitHub Actions Attack

TanStack's postmortem reveals the attacker chained three known vulnerability classes to hijack their trusted publishing pipeline without ever stealing a long-lived secret [9].

Stage 1 — Pwn Request via pull_request_target. The attacker opened a pull request targeting a workflow that used the pull_request_target trigger with write permissions granted to fork PRs. This misconfiguration allows code from the fork to execute in the context of the base repository's workflow, with access to repository secrets.

Stage 2 — GitHub Actions cache poisoning. The attacker poisoned the shared GitHub Actions pnpm cache (a 1.1 GB malicious store entry) across the fork–base trust boundary. When the legitimate CI workflow restored the cache on a subsequent run, it executed attacker-controlled build tooling.

Stage 3 — OIDC token extraction from runner memory. With code executing inside the legitimate workflow, the payload scanned runner process memory via /proc/<pid>/mem to extract the short-lived GitHub Actions OIDC token. Critically, the scraper deliberately skipped tokens named GITHUB_TOKEN — likely to avoid triggering GitHub's own secret-scanning on exfiltrated data. With a valid OIDC token in hand, the attacker minted a publish credential and released malicious packages as TanStack's own pipeline, producing packages with legitimate SLSA provenance attestations [9].

The exfiltrated credentials were transmitted via Session/Oxen messenger's end-to-end encrypted file upload network, routed through seed nodes — a dead-drop architecture that bypasses traditional C2 detection and domain-blocking controls [7].

An AI Supply-Chain Security Event

The compromise of @mistralai packages transforms this incident into a direct threat against AI development infrastructure. In modern MLOps, CI/CD pipelines are the assembly lines for building, testing, and deploying AI-powered applications. These pipelines frequently handle sensitive credentials, including API keys for AI models.

A CI pipeline that installed an infected @mistralai package during the compromise window may have exposed the organization to multiple threats. First, the pipeline's own Mistral AI API key was likely exfiltrated if stored as an environment variable. Second, stolen GitHub Actions OIDC tokens could grant the attacker permissions to modify repository code or workflows. Third, if the pipeline possessed npm publish rights, it would have been used to propagate the worm to the organization's own packages.

Detection and Endpoint Defense

Traditional signature-based defenses are ineffective against this attack, as the payload's individual actions appear legitimate. However, the attack generates a distinct sequence of behaviors that can be detected. Helixar's agentic defense model provides coverage at two independent layers: endpoint behavior and API credential surveillance.

At the endpoint, Helixar's behavioral engine identifies the anomalous sequence of operations. An npm lifecycle process suddenly reading from `~/.npmrc`, AWS credential paths, and Kubernetes service account files triggers a credential sweep signature (TC7-SIG). This activity, followed by an outbound connection to an unknown domain, is flagged as suspicious exfiltration. A process invoking the npm publish endpoint from a context outside a declared release job is a clear scope violation, indicating excessive agency.

The second layer, BearTrap API credential surveillance, provides a failsafe. If a stolen Mistral AI API key is used by the attacker, BearTrap detects that the credential is being replayed from a new network origin with an unrecognized client fingerprint. While this detects misuse after the initial theft, it provides a critical backstop to contain the damage from a compromised key, independent of endpoint visibility.

Developer Workstation Persistence: npm Uninstall Is Not Enough

A critical development distinguishes Mini Shai-Hulud from prior supply-chain attacks: the payload extends its reach from CI pipelines to developer workstations through a persistence layer that survives npm uninstall. When the malicious lifecycle script runs on a developer's machine rather than a CI runner, it writes copies of its loader into two widely-used AI developer tool directories [8][10].

For Claude Code users, the payload writes to ~/.claude/setup.mjs and ~/.claude/router_runtime.js, then registers itself as a hook in Claude Code's settings.json. This causes the malicious script to re-execute on every Claude Code tool event — including across sessions and after the infected package is removed. VS Code users face the same threat via .vscode/setup.mjs and a malicious entry in .vscode/tasks.json, which re-runs the loader on workspace open [8].

Audit all developer machines that installed any affected package during the compromise window. Remove router_runtime.js, setup.mjs, and any unfamiliar entries in ~/.claude/settings.json hooks or .vscode/tasks.json. Check ~/.local/bin/ for unexpected executables and review both systemd user services (Linux) and LaunchAgents (macOS) for entries referencing gh-token-monitor [8].

Immediate Response Playbook

Security teams managing JavaScript or AI development pipelines must act now. First, search all project lockfiles and build caches for the malicious files router_init.js and tanstack_runner.js (SHA-256 hashes: ab4fcad… and 2ec78d5… respectively — full hashes in Aikido Security's analysis [1]). Treat any package version from the affected namespaces published between April and May 2026 as compromised until proven otherwise.

The next step is immediate and broad credential rotation — but only after disabling the dead-man's switch as described above. Rotate npm tokens, GitHub PATs, cloud keys, Kubernetes tokens, and any model API keys exposed in CI environment variables. For affected CI runners, GitHub Actions caches must be purged; TanStack's postmortem documents the cache-poisoning vector in detail [9]. Finally, audit your organization's npm package publication history for unexpected patch version bumps that do not correspond to a legitimate commit or release process.

Structural Mitigations for Agentic Threats

To prevent recurrence, organizations must adopt stricter dependency management. Pin optional dependencies with exact SHAs in lockfiles, treating them with the same scrutiny as direct dependencies. In CI environments, disable lifecycle script execution for third-party packages using `npm config set ignore-scripts true`, running scripts only for your own project explicitly.

The Mini Shai-Hulud campaign demonstrates that the software supply chain and the AI supply chain are now a single, interconnected attack surface. The worm's success proves that artifact provenance is a necessary but insufficient control. Defenders must move beyond checking what a package is and where it came from. They must govern what it does at runtime. Behavioral analysis at the endpoint is the essential control for mitigating threats that operate within the trusted boundaries of a modern development pipeline.