A new wave of supply chain compromise has been identified involving a malware strain referred to as the Mini Shai Hulud worm, which has been linked to the threat actor TeamPCP. The campaign has impacted multiple widely used npm and PyPI packages belonging to ecosystems such as TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI. Security researchers report that the compromised packages were modified to include an obfuscated JavaScript file named router_init.js, which is engineered to inspect execution environments and deploy a credential stealing module. This module is designed to target a wide range of sensitive environments including cloud service credentials, cryptocurrency wallets, artificial intelligence development tools, messaging applications, and continuous integration systems such as GitHub Actions, Aikido Security, Endor Labs, SafeDep, Socket, and StepSecurity. Exfiltrated data is transmitted to the domain filev2.getsession.org, with researchers noting the use of Session Protocol infrastructure to avoid detection due to its association with decentralized privacy focused messaging services.
Further analysis indicates that the malware includes fallback mechanisms to ensure data exfiltration even when direct transmission is blocked. In such cases, stolen information is committed to attacker controlled repositories under the GitHub identity format claude@users.noreply.github.com using GitHub GraphQL API calls authenticated through stolen tokens. The malicious code also establishes persistence within developer environments by injecting hooks into Claude Code and Microsoft Visual Studio Code, allowing the stealer to reactivate upon system reboot or IDE launch. In addition, it deploys a gh-token-monitor service that continuously tracks GitHub tokens and reinitiates exfiltration when new credentials are detected. The campaign further escalates its persistence strategy by injecting malicious GitHub Actions workflows designed to serialize repository secrets into JSON format and transmit them to external infrastructure hosted at api.masscan.cloud, significantly broadening its data collection scope across development environments.
Investigations into the TanStack compromise reveal that the attack chain originated from a GitHub Actions based intrusion leveraging the pull_request_target trigger combined with cache poisoning and runtime memory extraction of OpenID Connect tokens from GitHub Actions runners. According to TanStack, npm publishing tokens were not stolen and the publishing workflow itself remained intact, although attackers were able to manipulate the project’s release pipeline. The malicious payload was staged through a GitHub fork and inserted into published npm tarballs before being pushed through the legitimate TanStack router workflow using valid SLSA provenance attestations. Security researchers noted that the worm demonstrates advanced propagation capabilities by locating npm publish tokens with bypass_2fa enabled, enumerating packages tied to maintainers, and exchanging GitHub OIDC tokens for per package publish tokens, effectively bypassing traditional authentication controls. The incident has been tracked under CVE-2026-45321 with a CVSS score of 9.6, impacting 42 packages and 84 versions within the TanStack ecosystem.
The scope of the Mini Shai Hulud campaign extends beyond a single ecosystem, with confirmed compromises across PyPI and npm registries including guardrails-ai 0.10.1, mistralai 2.4.6, multiple OpenSearch project releases, and several Squawk and TallyUI connector packages. In the case of the mistralai PyPI package, analysis by Microsoft revealed a credential stealer that downloads remote payloads from 83.142.209.194 and includes environment aware logic designed to avoid execution in Russian language systems, along with a geofenced destructive branch that has a conditional chance of executing a destructive command depending on detected geographic indicators. In parallel, Socket researchers reported that the guardrails-ai package executes malicious code upon import, downloading a Python payload from a remote server and executing it directly without integrity verification. The ongoing propagation across AI tooling, search infrastructure, automation systems, and CI CD pipelines highlights an expanding supply chain threat landscape where trusted development dependencies are increasingly being used as delivery mechanisms for cross platform credential theft and persistent infiltration across software ecosystems.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
