Mini Shai-Hulud Worm: The Supply Chain Attack That Bypassed Provenance and OIDC Security
A sophisticated self-propagating worm, dubbed Mini Shai-Hulud, has compromised 172 npm and PyPI packages—including widely used tools from TanStack, Mistral AI, and Guardrails AI—by exploiting misconfigured GitHub OIDC tokens and SLSA provenance systems. The attack, attributed to the threat actor TeamPCP, demonstrates how modern supply chain security controls can be bypassed when fundamental trust boundaries are not properly enforced.
Why This Attack Matters
Unlike traditional typosquatting, the Mini Shai-Hulud campaign subverted trusted publishing mechanisms themselves. By poisoning GitHub Actions caches and leveraging stolen OIDC tokens, attackers published validly attested SLSA Level 3 packages—provenance badges that passed automated security checks but contained malicious payloads. The worm then self-replicated, compromising additional packages in an exponential infection cycle.
Most critically, the malware persisted beyond package removal, embedding itself in developer environments (including AI coding agents like Claude Code and VS Code) and CI/CD runners. It harvested credentials from 100+ file paths, including AWS keys, cryptocurrency wallets, and LLM API configurations—even from password managers like 1Password and Bitwarden.
How the Attack Worked: A Technical Breakdown
1. The Exploit Chain: From SAP to TanStack
The campaign began in April with targeted SAP-related packages and escalated to high-profile npm packages like @tanstack/react-router (12.7M weekly downloads) and @mistralai/mistralai. The kill chain involved:
- Cache Poisoning: Attackers forked legitimate repositories (e.g.,
zblgg/configurationfor TanStack/router) and triggeredpull_request_targetworkflows to execute malicious code on maintainers’ CI runners. - OIDC Token Theft: By reading
/proc/pid/mem, the worm extracted short-lived GitHub OIDC tokens from runner processes, bypassing 2FA and repository-level protections. - Provenance Attestation: All 84 malicious TanStack versions carried valid SLSA Level 3 provenance, tricking automated security tools into accepting them as trusted.
- Self-Replication: The worm mapped victims’ maintainer permissions, cloned their repositories, injected payloads, and republished under incremented versions—creating a force-multiplier effect.
2. The Payload: A Credential-Stealing Machine
The router_init.js payload (2.3MB, obfuscated) included:
- Credential Harvesting: Targeted 100+ file paths, including:
- AWS credentials (
~/.aws/credentials) - SSH private keys (
~/.ssh/id_rsa) - GitHub PATs (
~/.config/gh/hosts.yml) - Password manager databases (1Password, Bitwarden)
- AI agent configs (
~/.claude/settings.json,~/.kiro/mcp.json)
- AWS credentials (
- Persistence Mechanisms:
- Claude Code: Hooked
SessionStartconfig to re-execute on project open. - VS Code: Injected
tasks.jsonwithrunOn: "folderOpen". - System Daemons: macOS LaunchAgent/Linux systemd to survive reboots.
- GitHub Token Monitor: Re-exfiltrated tokens every 60 seconds.
- Claude Code: Hooked
- Destructive Fallback: If tokens were revoked, the worm triggered
rm -rf ~/, wiping the home directory. A geofenced variant targeted systems in Israel/Iran.
3. Cross-Platform Expansion: npm to PyPI
Within 48 hours, the campaign expanded to 403 malicious versions across 172 packages, including:
- npm: TanStack, Mistral AI, OpenSearch, Guardrails AI, UiPath, Squawk aviation packages.
- PyPI:
mistralai==2.4.6(quarantined) executed on import, not install—bypassing npm mitigations like--ignore-scripts.
Cumulative downloads affected: 518 million (OX Security).
Full List of Compromised Packages
Security researchers have identified 373 malicious package versions across the following categories:
| Package Scope | Example Packages | Download Volume |
|---|---|---|
@tanstack/* |
@tanstack/react-router, @tanstack/vue-router |
12.7M weekly |
@mistralai/* |
@mistralai/mistralai, @mistralai/sdk |
High (AI/ML pipelines) |
@guardrails-ai/* |
@guardrails-ai/guard |
Enterprise adoption |
@uipath/* |
65 UiPath automation packages | RPA ecosystems |
@opensearch-project/* |
OpenSearch infrastructure tools | Cloud deployments |
@squawk/* |
20 aviation data packages | Niche but critical |
Note: The worm exploited optionalDependencies in lockfiles, using github: references to orphaned commits—bypassing static analysis tools.
Six Critical CI/CD Gaps Exploited
The attack revealed systemic vulnerabilities in modern supply chain security. Here’s how defenders can close them:
| Gap | Current Practice | Required Fix |
|---|---|---|
| OIDC Scope Misconfiguration | id-token:write granted at repository level. | Pin OIDC tokens to specific workflow files on protected branches. |
| Provenance Over-Reliance | SLSA badges treated as “safe by default.” | Add behavioral analysis at install time (e.g., Socket’s AI scanner). |
| Shared GitHub Actions Cache | Fork-triggered workflows and release workflows share cache. | Isolate caches per trust boundary; invalidate after suspicious PRs. |
| OptionalDependencies Blind Spot | Static analysis ignores optionalDependencies with github: refs. |
Audit github: references for non-release commits. |
| Python Import-Time Execution | npm mitigations (e.g., –ignore-scripts) don’t cover Python. | Audit AI/ML pipelines for import-time execution risks. |
| Token Revocation Order | Standard practice: revoke tokens before investigation. | Isolate machines before revoking tokens to prevent rm -rf triggers. |
“Provenance tells you where a package was built. It does not tell you whether the build was authorized. That’s the gap this attack exploited.”
Immediate and Long-Term Remediation Steps
Today: Detect and Isolate
- Scan for malware: Run:
find . -name 'router_init.js' -size +1M grep -r '79ac49eedf774dd4b0cfa308722bc463cfe5885c' package-lock.json
- Block exfiltration domains:
filev2.getsession[.]orgapi.masscan[.]cloudgit-tanstack[.]com
- Do NOT revoke tokens until the host is forensically imaged.
This Week: Rotate and Audit
- Rotate all credentials accessible from affected hosts (npm tokens → GitHub PATs → cloud keys).
- Check for
claude@users.noreply.github.comcommits after May 11. - Audit
.claude/and.vscode/directories for persistence artifacts.
This Month: Harden CI/CD
- Pin OIDC publishing to specific workflows on protected branches.
- Set
npm config set min-release-age=7dto block rapid version bumps. - For AI/ML teams: Rotate LLM API keys and vector DB credentials.
Quarterly: Organizational Policy Overhaul
- Require behavioral analysis at package registry layer (provenance alone is insufficient).
- Treat AI agent configs (
.claude/,.kiro/) as credential stores with access controls. - Audit vendors with publish access for CI/CD security gaps.
The Broader Implications
This is the fifth Shai-Hulud wave in eight months, with each iteration targeting higher-download packages and introducing novel techniques. The recent open-sourcing of the worm’s code (reported by vx-underground) suggests this attack vector is now accessible to any threat actor.
Key takeaways for the industry:
- AI Agents Are Trusted Execution Environments: Tools like Claude Code and VS Code have access to the same secrets as developers. Securing them requires treating their configs as credential stores.
- Provenance ≠ Authorization: SLSA badges prove where a package was built, not who authorized it. Behavioral analysis must complement attestations.
- OIDC Scope Is the New Perimeter: Repository-level OIDC trust is insufficient. Workflow-level constraints are now essential.
- Python and AI Pipelines Are Blind Spots: npm mitigations don’t cover import-time execution in Python or LLM workflows.
The Mini Shai-Hulud worm is a wake-up call: supply chain security must evolve beyond static controls to dynamic, behavioral verification. As Kennedy notes, “the gap wasn’t in the signing—it was in the scope.” Defenders must now ask: Who has access to my OIDC tokens, and how are they being used?
FAQ: Mini Shai-Hulud Worm
1. Is my organization affected?
If your development environment or CI/CD pipeline installed or imported any of the 172 compromised packages between May 11–12, 2026, assume compromise. Run the detection commands above.
2. Does uninstalling the package remove the malware?
No. The worm persists in .claude/, .vscode/, and system daemons. Manual removal is required.
3. What should I do if I find the malware?
- Isolate the machine.
- Image the disk for forensics.
- Rotate credentials in this order: npm tokens → GitHub PATs → cloud keys.
- Block exfiltration domains.
4. Are there any safe packages?
All packages published between May 11–12, 2026, should be treated as potentially compromised unless verified by the maintainer. Check npm advisories for updates.
5. How can I prevent future attacks?
- Pin OIDC tokens to specific workflows on protected branches.
- Isolate GitHub Actions caches per trust boundary.
- Audit
optionalDependenciesforgithub:references. - Monitor Python import-time execution in CI pipelines.
- Treat AI agent configs as credential stores.
Next Steps for Security Teams
This attack demonstrates that supply chain security is only as strong as its weakest trust boundary. To mitigate risk:
- Audit your CI/CD pipelines against the six gaps outlined above.
- Rotate all credentials from affected hosts—especially those used in AI/ML workflows.
- Invest in behavioral analysis for package verification beyond provenance.
- Treat AI agents as part of your attack surface—their configs store high-value credentials.
For a full technical deep dive, review the TanStack postmortem and Endor Labs’ analysis.