Mini Shai-Hulud wave — TanStack, Mistral, UiPath, OpenSearch (May 2026)
TL;DR
Over a 48-hour window on 2026-05-11 → 2026-05-12, the Mini Shai-Hulud worm — operated by threat actor group TeamPCP — compromised 172 unique packages across 403 malicious versions on npm and PyPI. High-profile scopes hit: @tanstack, @mistralai, @uipath, @opensearch-project, plus Guardrails AI. Cumulative downloads of affected packages exceed 518 million. The TanStack subset (~84 versions across 42 @tanstack/* packages, including @tanstack/react-router ~12.7M weekly downloads) was assigned CVE-2026-45321 (CVSS 9.6). This is the first documented case of a malicious npm package carrying valid SLSA provenance — published by the legitimate release pipeline after attacker-controlled code hijacked the runner mid-workflow. Same threat actor is now confirmed to have launched the PyTorch Lightning compromise on April 30, 2026, and went on to hit the @antv ecosystem + Microsoft durabletask on May 19 and to breach GitHub's own internal repos on May 20.
Update 2026-06-11 — ACTION REQUIRED BY 2026-06-12: OpenAI's macOS code-signing certificate revocation takes effect tomorrow. macOS users of ChatGPT Desktop, Codex, Codex-cli, and Atlas who have not yet updated will be blocked from launching the apps after the certificate is revoked. Update immediately. The Hades Campaign (June 8) is the latest downstream wave of the same threat-actor cluster; see the 2026-05-31 update below for full cert-rotation context.
Update 2026-06-02: the campaign has a third documented worm-source-public copycat. Miasma —
@redhat-cloud-services(2026-06-01) is a lightly reskinned Mini Shai-Hulud derivative (Greek-mythology theming replaces Dune markers; added GCP/Azure identity collectors; exfil camouflaged asapi.anthropic.com/v1/api) that hit 32 packages / 96 versions of Red Hat's official OpenShift / Hybrid Cloud Console / Insights client scope in a ~72-second automated burst. Initial access was a compromised Red Hat employee GitHub account → existing GitHub Actions OIDC publish path (no separate npm credential theft) — same shape as Megalodon's@tiledeskarm. This is the first copycat to land on a major legitimate npm scope rather than typosquats, and the first to disguise exfil as AI-vendor API traffic.Update 2026-05-31: CISA added CVE-2026-45321 to the Known Exploited Vulnerabilities catalog on 2026-05-27 alongside CVE-2026-48027 (Nx Console) and CVE-2026-8398 (DAEMON Tools Lite) — federal-agency remediation deadline 2026-06-10. OpenAI disclosed on 2026-05-14 that this wave reached two OpenAI employee devices, exfiltrated "limited credential material" from internal source-code repos, and forced re-signing of the macOS, Windows, iOS, and Android desktop apps (ChatGPT Desktop, Codex, Codex-cli, Atlas). Old certificates are revoked on 2026-06-12 — unupdated macOS users will be blocked from launching the apps. OpenAI's own postmortem notes the compromised devices had not yet received post-Axios supply-chain hardening (pinned commit hashes +
minimumReleaseAgefloor) that would have blocked the malicious dependency. Two AI-vendor code-signing-cert rotations in five weeks (Axios → 2026-05-08, TanStack → 2026-06-12) — track this as a recurring named-instance pattern.Campaign context (updated 2026-05-23): TeamPCP (aka PCPcat / DeadCatx3 / UNC6780, per Google Threat Intelligence) has been the most active supply-chain actor of 2026. The Mini Shai-Hulud campaign began in early March with Aqua's Trivy scanner, then cascaded through Checkmarx KICS, LiteLLM, Telnyx, the "Shai-Hulud: The Third Coming" Checkmarx-channel wave that backdoored
@bitwarden/cli(Apr 22 — the first payload to specifically hunt AI-coding-tool credentials), the SAP scope (April), PyTorch Lightning (Apr 30), this TanStack/Mistral/UiPath/OpenSearch wave (May 11), node-ipc (May 14), the @antv + durabletask wave (May 19), and a Checkmarx Jenkins AST Plugin backdoor (May). Campaign total to date: ~1,055 malicious versions across ~502 unique packages (npm 1,048, PyPI 6, Composer 1). Separately, the same "hijack the real release pipeline via GitHub Actions" TTP showed up in the elementary-data PyPI/GHCR compromise (Apr 24) — script injection → forged signed release → legitimate publish pipeline.
What happened
The worm chained three vulnerabilities in GitHub Actions:
pull_request_targetPwn Request. A fork-triggered workflow on the TanStack monorepo (and analogous workflows on the other affected scopes) ran attacker-controlled code with elevated privileges.- GitHub Actions cache poisoning. The malicious workflow wrote a poisoned pnpm store into the Actions cache.
- OIDC token theft. When a legitimate maintainer's PR was merged, the trusted release workflow restored the poisoned cache; attacker-controlled binaries then extracted OIDC tokens directly from the runner's process memory.
Result: packages were published by the legitimate release pipeline, with valid SLSA provenance, while carrying a credential-stealing payload.
The payload follows the Mini Shai-Hulud playbook: scan the runner for npm/GitHub/cloud credentials, exfiltrate to attacker-controlled GitHub repos with Dune-themed names (e.g., kralizec-phibian-314, descriptions like "A Mini Shai-Hulud has Appeared"), then attempt to publish trojanized versions of every package the harvested tokens can reach.
Am I affected?
# All four major affected scopes
npm ls --all 2>/dev/null | grep -E '@tanstack/|@mistralai/|@uipath/|@opensearch-project/'
# Plus PyPI side (mistralai is on both)
pip list 2>/dev/null | grep -iE 'mistralai|guardrails|opensearch'
# Install dates within the window
ls -la node_modules/@tanstack/*/package.json 2>/dev/null | head
If any affected package landed on a dev machine or CI runner between 2026-05-11 and the takedown, treat that host as compromised — credentials, OIDC tokens in CI cache, and downstream publish authority all suspect.
# Look for Dune-themed exfil repos planted in your accounts/orgs
gh api /user/repos --paginate --jq '.[] | select(.description // "" | test("Shai-Hulud|Mini Shai-Hulud"; "i")) | .full_name'
gh api /user/repos --paginate --jq '.[] | select(.created_at > "2026-05-10") | {name, private, description}'
IOCs
| Type | Value |
|---|---|
| CVE (TanStack subset) | CVE-2026-45321 (CVSS 9.6) — CISA KEV 2026-05-27, federal deadline 2026-06-10 |
| Downstream AI-vendor impact | OpenAI: 2 employee devices compromised, internal source-code credential exfil; macOS/Windows/iOS/Android signing certs rotated; old certs revoked 2026-06-12 |
| Worm commit-message prefix | EveryBoiWeBuildIsAWormyBoi |
| Exfil repo description | "A Mini Shai-Hulud has Appeared" / "Shai-Hulud: Here We Go Again" |
| C2 / staging hosts | git-tanstack[.]com, *.getsession.org, filev2.getsession.org, api.masscan.cloud |
| C2 IP | 83.142.209[.]194 |
| Postinstall artifact (cross-ecosystem) | .claude/settings.json, .claude/setup.mjs, .claude/router_runtime.js, .vscode/tasks.json (runOn: folderOpen) |
| Total packages compromised | 172 (npm + PyPI), 403 malicious versions |
| Exfil repos created | 400+ |
Block git-tanstack[.]com, *.getsession.org, and 83.142.209[.]194 at the DNS/proxy level. Audit outbound flows for connections to filev2.getsession.org and api.masscan.cloud.
If you are affected
→ playbooks/if-you-installed-a-bad-npm-package.md → playbooks/if-your-github-pat-leaked.md — especially for CI runners → playbooks/if-your-npm-token-leaked.md → playbooks/rotating-cloud-credentials.md
Why valid SLSA provenance matters here
SLSA provenance is meant to prove "this artifact was built by this pipeline from this source." It worked exactly as designed — the pipeline really did publish the package. The problem is that the pipeline itself was compromised mid-build. Provenance attestation can't tell you whether a build runner's process memory was being scraped.
Lesson: provenance is a necessary but insufficient signal. Combine with: signed source commits, restricted PR-triggered workflows (don't grant pull_request_target write access), short-lived OIDC, and runtime hardening (StepSecurity Harden-Runner egress allowlist).
Prevention
→ prevention/npm-hardening.md
→ prevention/agent-sandboxing.md
→ Restrict pull_request_target workflows. Use zizmor to scan workflows for the Pwn Request pattern. Add StepSecurity Harden-Runner for runtime egress alerting.
Sources
- TanStack — Postmortem: TanStack npm supply-chain compromise
- StepSecurity — TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages
- Akamai — Mini Shai-Hulud: The Worm Returns and Goes Public
- Phoenix Security — Mini Shai-Hulud: TeamPCP's Self-Propagating npm Worm Hits TanStack, OpenSearch, and Mistral AI Across 170 Packages
- Orca Security — TanStack and 160+ npm/PyPI Packages Compromised in Supply Chain Worm Attack
- Strobes — TanStack npm Supply Chain Attack: 170 Packages Compromised
- SafeDep — Mass Supply Chain Attack Hits TanStack, Mistral AI npm and PyPI Packages
- Aikido — Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack
- Snyk — TanStack npm Packages Hit by Mini Shai-Hulud
- Snyk — Zero-Day Advisory: TanStack npm Supply Chain Compromise May 2026
- Wiz — Mini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised
- Mend — Mini Shai-Hulud Wave Hits 172 npm and PyPI Packages
- The Hacker News — Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages
- Picus Security — Mini Shai-Hulud: The npm Supply Chain Worm Explained
- Expel — Mini Shai-Hulud: Cross-ecosystem supply chain worm targeting npm & PyPI
- The CyberSec Guru — Mini Shai-Hulud npm Attack: All Affected Packages
- Qualysec — Mini Shai-Hulud Worm: 170+ npm & PyPI Packages Compromised
- Cybersecurity News — MistralAI PyPI Package Compromised
- OpenAI — Our response to the TanStack npm supply chain attack — official vendor IR: 2 employee devices, signing certs rotated, June 12 revocation
- The Register — OpenAI caught in TanStack npm supply chain chaos after employee devices compromised (2026-05-15)
- The Hacker News — TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS Updates
- SecurityWeek — OpenAI Hit by TanStack Supply Chain Attack
- TechCrunch — OpenAI says hackers stole some data after latest code security issue
- CISA — Three Known Exploited Vulnerabilities Added to Catalog (2026-05-27) — CVE-2026-45321 KEV addition
- SecurityAffairs — U.S. CISA adds Daemon Tools, TanStack, and Nx Console flaws to its KEV catalog
- VentureBeat — Four AI supply-chain attacks in 50 days exposed the release pipeline red teams aren't covering