Mini Shai-Hulud: TeamPCP’s Self-Propagating npm Worm Hits TanStack, OpenSearch, and Mistral AI Across 170 Packages

Between May 10 and May 12, 2026, TeamPCP — the group behind the Trivy, Checkmarx, and LiteLLM supply chain compromises — ran a self-propagating worm campaign across the npm and PyPI ecosystems. They named it Mini Shai-Hulud. The entry point was an orphaned commit in a TanStack CI workflow that still had OIDC trust federation configured with npm. No phished maintainer. No stored secret. The attacker extracted an OIDC token from the runner process and exchanged it for authenticated publish access to the entire TanStack namespace.

From there, the worm drove its own expansion: every infected CI run became a new publisher. Each compromised package version carried a preinstall hook that downloaded the Bun JavaScript runtime as a living-off-the-land binary, then launched a 2.3 MB obfuscated payload (router_init.js) that swept CI secrets, cloud credentials, Kubernetes tokens, and Vault secrets. On runners with active OIDC federation, the worm minted fresh npm tokens and republished infected versions under stolen maintainer identities — with valid Sigstore provenance attestations attached. By the time npm quarantine started, 170 packages across 19 namespaces were gone, including the AWS-maintained OpenSearch JavaScript client at 1.3 million weekly downloads and the official Mistral AI SDK family on both npm and PyPI.

Exfiltration ran through the Session P2P messaging network, not HTTP C2. The traffic is encrypted IM protocol — indistinguishable from legitimate messaging at the network layer. Persistence landed in Claude Code hook directories (.claude/) and VS Code task runners (.vscode/tasks.json). npm uninstall does not remove those. The worm fires again on every developer tool invocation until you explicitly clean the hook files. No CVE has been assigned. Traditional CVE-based vulnerability management had no visibility into any of this.

TL;DR for Engineering Teams – TeamPCP – Mini Shai Hulud

What it is: Self-propagating npm worm (Mini Shai-Hulud) attributed to TeamPCP. Entry via OIDC token extraction from a TanStack CI workflow orphaned commit. Worm republishes infected versions autonomously across maintainer namespaces using stolen OIDC federation tokens. Crosses into PyPI. No CVE assigned.

Phoenix Security Blue Malware Analysis – https://phxintel.security/malware.html 

Where it bites: Any environment that installed a compromised version from 170 npm packages across 19 namespaces, or PyPI mistralai==2.4.6 / guardrails-ai==0.10.1. The preinstall hook fires on npm install — the package does not need to be imported. Highest blast radius: @opensearch-project/opensearch (versions 3.5.3, 3.6.2, 3.7.0, 3.8.0) at 1.3M weekly downloads; @mistralai/mistralai (2.2.2-2.2.4); @tanstack/react-router (1.169.5, 1.169.8).

Why it matters: OIDC federation — designed to eliminate long-lived tokens — was weaponized to mint fresh publish credentials. Infected packages carry valid Sigstore provenance attestations, which defeats provenance-based trust checks. Exfiltration through Session P2P is indistinguishable from normal IM traffic. Persistence in .claude/ hooks survives npm uninstall.

Patch status: Compromised versions removed from npm. PyPI mistralai and guardrails-ai quarantined. Safe versions: @opensearch-project/opensearch <=3.5.2 (or confirmed-clean post-quarantine release); @mistralai/mistralai <=2.2.1; mistralai PyPI <=2.4.5; guardrails-ai <=0.10.0.

Immediate action: Grep lockfiles for affected namespaces. Check for /tmp/transformers.pyz, .claude/router_runtime.js, pgmon.service. Rotate every secret on any CI runner that installed a compromised version. Block filev2.getsession.org, git-tanstack.com, api.masscan.cloud at egress DNS. Set npm config set ignore-scripts true on all CI runners.

Vulnerability Overview – TeamPCP – Mini Shai Hulud

Technical Anatomy

Root Cause: OIDC Federation Abuse via Orphaned CI Commit

The attack did not start with a phished password or a stolen API key. It started with an orphaned commit.

On May 10–11, 2026, TeamPCP identified an orphaned commit in a TanStack repository that remained reachable from a GitHub Actions workflow. The workflow had OIDC trust federation configured with npm — the standard mechanism for passwordless publishing where CI can mint short-lived npm tokens on behalf of a registered publisher. By triggering a workflow run against the attacker-controlled commit, TeamPCP extracted the runner’s OIDC token and exchanged it with npm’s federation endpoint for a full publish credential on the TanStack namespace. Two-factor authentication was bypassed entirely: OIDC federation authenticates the CI workflow identity, not the human maintainer.

The TanStack postmortem attributes this to a chained attack — pull_request_target “Pwn Request” pattern, GitHub Actions cache poisoning across the fork-to-base trust boundary, and runtime memory extraction of an OIDC token from the runner process. No stored npm tokens were stolen.

Exploit Path

Step 1 — Entry via orphaned commit: An attacker-controlled commit in a fork runs inside a privileged workflow context because of a pull_request_target misconfiguration. The runner process holds an active OIDC JWT. The attacker reads it from runner memory during the test/cleanup phase.

Step 2 — OIDC token exchange for npm publish credential: The extracted OIDC JWT goes to npm’s trusted publisher federation endpoint. npm validates the token against the registered OIDC trust binding for the TanStack namespace and issues a publish token. The attacker now has authenticated publish access to every package in the namespace without any stored credentials.

Step 3 — Infected version publication with Sigstore provenance, then worm propagation: The malicious payload is packaged and published. Because the publish authenticates as the legitimate CI workflow identity, npm’s provenance system generates a valid Sigstore attestation. Consumers who inspect provenance records see a clean CI build. The worm then replicates: on any infected CI runner with OIDC federation, tanstack_runner.js repeats the token extraction and republishes under every accessible namespace.

The Three-Stage Payload (router_init.js, ~2.3 MB)

The payload is a single-line, 2.3 MB file obfuscated with javascript-obfuscator: string-array rotation, hex-encoded identifier lookups (_0x dispatcher called 2,864 times), control-flow flattening inside while(![]){} state machines, and a secondary XOR/AES decode layer (beautify()) that encodes 148 environment variable name accesses to defeat grep-based string extraction.

Stage 1 — Credential Harvest: The payload forks a detached child with all stdio suppressed (stdio: [‘ignore’,‘ignore’,‘ignore’]), then exits the parent cleanly. The child sweeps every major secrets plane:

• GitHub Actions: reads GITHUB_TOKEN, ACTIONS_ID_TOKEN_REQUEST_TOKEN; calls GET /repos/{repo}/actions/secrets?per_page=100 to enumerate all repository secrets
• AWS: reads AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_ROLE_ARN; calls EC2 IMDSv2 (PUT /latest/api/token then role credential fetch); queries Secrets Manager and SSM Parameter Store across all regions via SigV4-signed API calls
• Kubernetes: reads /var/run/secrets/kubernetes.io/serviceaccount/token and ca.crt
• HashiCorp Vault: reads VAULT_TOKEN, VAULT_AUTH_TOKEN; connects to vault.svc.cluster.local:8200 (in-cluster Vault API)
• ECS: reads ECS task metadata endpoint at 169.254.170.2

Stage 2 — OIDC-Powered Worm Propagation: On runners with active OIDC federation, the payload calls ACTIONS_ID_TOKEN_REQUEST_URL to mint a fresh npm OIDC JWT, exchanges it for a publish token, queries npms.io to enumerate maintainer packages, and republishes infected versions under the latest dist-tag with valid Sigstore provenance attestations.

Stage 3 — Repository Poisoning via GitHub GraphQL: Using stolen GITHUB_TOKEN values, the implant calls the createCommitOnBranch GraphQL mutation to write payload files directly to repository branches. Target paths: .claude/router_runtime.js, .claude/settings.json, .claude/setup.mjs, .vscode/setup.mjs, .vscode/tasks.json, and arbitrary .github/workflows/ files. All commits are authored as claude@users.noreply.github.com, impersonating the Anthropic Claude Code GitHub App.

The .claude/ Persistence Mechanism

Claude Code supports a hooks configuration in .claude/settings.json that executes shell commands in response to tool events. By writing a copy of the worm into .claude/router_runtime.js and registering it in .claude/settings.json, the worm re-executes every time a developer uses Claude Code in the affected project directory. This persistence survives npm uninstall and package cache clearing. Package removal is not sufficient remediation.

Protect yourself with the latest threat intelligence, get access to PHOENIX BLUE Today

Exfiltration via Session P2P Protocol – TeamPCP – Mini Shai Hulud

Harvested credentials are not POSTed to a conventional HTTPS C2 server. The payload routes exfiltration through the Session decentralized P2P messaging network using the full embedded signalservice Protocol Buffers stack (Envelope, Content, DataMessage, WebSocketMessage, SharedConfigMessage). Traffic uploads to http://filev2.getsession.org/file/ over plain HTTP with tls.rejectUnauthorized: false, honoring any CI runner outbound proxy. To a network observer, this is regular encrypted P2P messaging traffic. No CDN provider or domain registrar can take down Session’s distributed snode network — DNS-level blocking of .getsession.org is the only practical perimeter control.

The PyPI Dropper: Simpler, Same Infrastructure

The guardrails-ai==0.10.1 PyPI compromise uses a different mechanism. On import (not install) on Linux, the package fetches https://git-tanstack.com/transformers.pyz, writes it to /tmp/transformers.pyz, and runs it with python3. No hash check. No signature verification. The same git-tanstack.com domain used as the attacker self-attribution page serves this payload. TeamPCP made no attempt to separate infrastructure between the npm and PyPI sides of the campaign.

Sandbox Detection – TeamPCP – Mini Shai Hulud

The payload checks two environment variables — TESTING_TAR_FAKE_PLATFORM and FAKE_PLATFORM — as sandbox-detection canaries. If either is set, the payload runs cleanly, producing a benign execution trace in sandboxes that fake platform metadata.

Affected Versions

npm — Highest Impact Packages

PyPI

Full 170-package inventory available at OpenSourceMalware.com under tag #mini-shai-hulud and Socket’s Mini Shai-Hulud campaign tracker at socket.dev/supply-chain-attacks/mini-shai-hulud.

Campaign Scope and Timeline

Exposure Analysis

Real-World Impact of TeamPCP – Mini Shai Hulud

Automated tooling detected 84 compromised TanStack artifacts within six minutes of publication — meaning detection exists and fires quickly. Six minutes is fast. It is not fast enough: CI pipelines that run on push will have installed compromised versions before any detection fires.

OpenSearch is the single highest blast-radius package in this campaign. At 1.3 million weekly npm downloads, it lands in observability stacks, search-backed services, and OpenSearch/Elasticsearch ingestion pipelines across thousands of organizations. Any application or pipeline that resolved versions 3.5.3, 3.6.2, 3.7.0, or 3.8.0 between May 12 00:29 UTC and quarantine time is in scope.

The Mistral AI SDK compromise hit npm and PyPI simultaneously. For organizations running LLM applications on the Mistral SDK, both the JavaScript and Python clients were poisoned in the same campaign wave.

The Sigstore provenance bypass is a structural problem with how provenance works. Organizations that implemented provenance verification as a supply chain control would have seen “verified provenance” badges on the malicious TanStack releases. The provenance record accurately shows that the package was published from a GitHub Actions run in the TanStack repository. It cannot indicate that the run evaluated attacker-controlled code. Provenance tells you where a package was built; it does not tell you whether that build environment was clean.

The Session P2P exfiltration channel is the hardest part to address at the network layer. No CDN provider, domain registrar, or certificate authority can take down Session’s snode swarm. Organizations that rely on domain reputation scoring for C2 detection have no visibility into this channel.

Detection Guidance

Indicators of Compromise

File Hashes (SHA-256)

Detection Queries

Lockfile scan:

grep -E “(@tanstack|@uipath|@squawk|@mistralai|@opensearch-project)/” \
  package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null

Filesystem persistence check:

ls -la ~/.claude/router_runtime.js ~/.claude/setup.mjs \
  ~/.vscode/setup.mjs /tmp/transformers.pyz /tmp/pglog 2>/dev/null

Git history check (run per repo):

git log –all –author=’claude@users.noreply.github.com’ –since=’2026-05-10′

router_init.js hash check:

find . -path ‘*/node_modules/*/router_init.js’ -exec sha256sum {} \; 2>/dev/null

MITRE ATT&CK Mapping

Remediation Guidance

Immediate Actions

1. Pin away from compromised versions. Update all lockfiles to exclude compromised version ranges. For @tanstack/* packages, pin to versions prior to 1.169.5 or the latest verified clean release post-quarantine.
2. Block C2 infrastructure at DNS egress: filev2.getsession.org, seed1.getsession.org, git-tanstack.com, api.masscan.cloud. IP-based blocking is impractical for the Session snode swarm — DNS-level blocking is required.
3. Rotate all secrets on any affected CI runner. Any workflow that ran npm install during May 10–12, 2026 and resolved a compromised version should treat all runner secrets as compromised: GitHub PATs, OIDC federation bindings, AWS access keys, Kubernetes service account tokens, HashiCorp Vault tokens, Docker registry credentials, npm publish tokens.
4. Remove .claude/ and .vscode/ persistence artifacts. npm uninstall is not sufficient. Check all developer home directories and project roots for: .claude/router_runtime.js, .claude/settings.json (inspect for unknown hooks), .vscode/tasks.json (inspect for unknown tasks), .claude/setup.mjs, .vscode/setup.mjs.
5. Audit recent commits for spoofed claude@ authorship. Run git log –all –author=‘claude@users.noreply.github.com’ –since=‘2026-05-10’ across every repository your CI has write access to. Commits with this identity not initiated through the legitimate Claude Code GitHub App are attacker-injected.
6. Uninstall affected PyPI packages. Remove mistralai==2.4.6 and guardrails-ai==0.10.1 immediately. Delete /tmp/transformers.pyz if present.
7. Revoke and re-establish npm Trusted Publisher OIDC bindings for any package published from affected repositories. Confirm the publishing workflow is clean before re-establishing federation.
8. Audit npm publish logs for unexpected version bumps from your organization’s packages, particularly versions published from GitHub Actions runners not initiated by a team member.

Long-Term Hardening

Disable npm install scripts on all CI runners: npm config set ignore-scripts true (or pnpm config set ignore-scripts true). This single line blocks the entire preinstall chain at the first hop. Most CI environments do not legitimately need lifecycle hooks from dependencies.

Restrict OIDC token scopes in GitHub Actions. Set permissions: id-token: none in all workflows that do not publish. Restrict id-token: write to only the specific job that publishes. Never grant OIDC token permissions to jobs that run attacker-influenced code.

Do not treat Sigstore provenance as a security gate on its own. Provenance verifies that a package was published from a specific CI workflow — not that the workflow ran trusted code. An attacker who can execute in GitHub Actions can generate valid Sigstore attestations for malicious packages.

Audit all pull_request_target workflows for PWN request patterns. If any step checks out PR head code, it is exploitable. Use poutine (Boost Security) or Zizmor for automated scanning.

Implement a version adoption delay policy. Community detection of supply chain attacks typically happens within minutes to hours. A 24–48 hour hold on new patch versions for non-critical CI dependencies provides a meaningful window for community detection to surface before your pipelines install.

Phoenix Security Recommendations

Mini Shai-Hulud had no CVE, no CVSS score, and no NVD entry. It compromised developer tooling and AI SDK infrastructure running with elevated trust in CI environments. For organizations with any of the 170 affected packages across their repository estate, the remediation surface is large and ownership is fragmented across multiple teams.

Attack surface management: Phoenix identifies which CI/CD pipelines and container images reference compromised package versions and maps whether those pipelines run in environments with OIDC federation enabled. For organizations with hundreds of repositories consuming @tanstack/, @mistralai/, or @opensearch-project/* packages, Phoenix provides a single view of which pipelines resolved compromised versions during the exposure window.

Contextual deduplication: The same compromised @opensearch-project/opensearch version appearing across 50 repositories does not generate 50 separate tickets. Phoenix correlates findings across all environments into a single prioritized backlog, surfacing the highest-risk instances — those with active cloud credentials or Kubernetes service account access — first.

Reachability analysis: Phoenix distinguishes between repositories where a compromised package version was declared in a lockfile versus those where the preinstall hook actually ran during a CI job. An environment with the package in its lockfile but no recent CI run has a materially different risk profile than one that ran npm install in the exposure window. That distinction drives remediation prioritization: secret rotation is urgent only where the hook executed.

Remediation campaigns: Create a Phoenix campaign to track lockfile remediation across all affected repositories, secret rotation completion per CI runner, .claude/ and .vscode/ persistence cleanup, OIDC federation rebuild, and Kubernetes pod cleanup for environments with the lateral movement variant. Assign owners per repository and track fix verification through to confirmed clean state.

Ownership attribution: Mini Shai-Hulud hit 19 namespaces across packages likely owned by multiple teams in any large organization. Phoenix maps vulnerable package references to responsible engineering teams automatically, making cross-team coordination tractable at scale.

The results are clear:

• Bazaarvoice saved $6.3M in developer time and for teams removed critical in the first weeks of adoption
• ClearBank cut critical container vulnerabilities by 96–99% and reclaimed 4 hours per engineer per week.
• IAS saved an equivalent of 1.5M in development hours and reduced SCA-to-container noise by 82.4%
• Optimizely has been able to act on vulnerabilities sitting on the backlog.

👉 Book a demo today

Or learn how Phoenix Security slashed millions in wasted dev time for fintech, retail, and adtech leaders.

Phoenix Security correlates vulnerable components with runtime workloads, identifies exposed pipelines via attack surface management, and assigns remediation ownership. A 170-package supply chain compromise becomes a trackable backlog with clear team accountability.

Full list of packages  

References

• OpenSourceMalware.com — Mini Shai-Hulud Campaign Tracker (tag: #mini-shai-hulud): https://opensourcemalware.com
• Socket Security Research — TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply-Chain Attack: https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud
• Socket Security — Mini Shai-Hulud Campaign Tracker (live): https://socket.dev/supply-chain-attacks/mini-shai-hulud
• TanStack — Postmortem: OIDC Token Extraction via pull_request_target (GitHub repository)
• OpenSourceMalware.com — 6mile: TeamPCP Hits 160+ Packages Including OpenSearch and Mistral AI
• Wiz Research — Trivy Compromised by TeamPCP: https://wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack
• Endor Labs — TeamPCP Isn’t Done: LiteLLM PyPI Compromise (upstream campaign context)
• Socket Security — CanisterWorm: npm Publisher Compromise Deploys Backdoor Across 29 Packages
• Aikido Security — TeamPCP Deploys CanisterWorm on NPM Following Trivy Compromise
• GitHub Advisory Database — GHSA-69fq-xp46-6×23 (Trivy ecosystem, upstream TeamPCP attribution)
• MITRE ATT&CK — T1195.002 Supply Chain Compromise: Software Supply Chain