{"id":883,"date":"2026-05-12T09:34:01","date_gmt":"2026-05-12T09:34:01","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=883"},"modified":"2026-05-12T09:34:01","modified_gmt":"2026-05-12T09:34:01","slug":"mini-shai-hulud-worm-compromises-tanstack-mistral-ai-guardrails-ai-more-packages","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=883","title":{"rendered":"Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages"},"content":{"rendered":"
\n
<\/a><\/div>\n

TeamPCP<\/b>, the threat actor behind the recent\u00a0<\/b>supply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign.<\/p>\n

The affected npm packages have been modified to include an obfuscated JavaScript file (\u00abrouter_init.js\u00bb) that’s designed to profile the execution environment and launch a comprehensive credential stealer capable of targeting cloud providers, cryptocurrency wallets, AI tools, messaging apps, and CI systems, including Github Actions, Aikido Security<\/a>, Endor Labs<\/a>, SafeDep<\/a>, Socket<\/a>, and StepSecurity<\/a> said. The data is exfiltrated to the \u00abfilev2.getsession[.]org\u00bb domain.<\/p>\n

Using Session Protocol infrastructure is a deliberate attempt on the part of the attackers to evade detection, as the domain is unlikely to be blocked within enterprise environments, given that it belongs to a decentralized, privacy-focused messaging service. As a fallback option, the encrypted data is committed to attacker-controlled repositories under the author name \u00abclaude@users.noreply.github.com\u00bb via the GitHub GraphQL API using the stolen GitHub tokens.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The malware is also capable of establishing persistence hooks in Claude Code and Microsoft Visual Studio Code (VS Code) to survive reboots and re-execute the stealer on every launch of the IDEs.<\/p>\n

Furthermore, it installs a gh-token-monitor service to monitor and re-exfiltrate GitHub tokens, and injects two malicious GitHub Actions workflows to serialize repository secrets into a JSON object and upload the data to an external server (\u00abapi.masscan[.]cloud\u00bb).\u00a0<\/p>\n

TanStack has since traced<\/a> the compromise to a chained GitHub Actions attack involving the \u00abpull_request_target\u00bb trigger, GitHub Actions cache poisoning<\/a>, and runtime memory extraction of an OIDC token from the GitHub Actions runner process. \u00abNo npm tokens were stolen, and the npm publish workflow itself was not compromised,\u00bb TanStack said.<\/p>\n

\"\"<\/a><\/div>\n

Specifically, the attackers are assessed to have staged the malicious payload in a GitHub fork, injected it into published npm tarballs, then hijacked the project’s legitimate \u00abTanStack\/router\u00bb workflow to publish the compromised versions with valid SLSA provenance.\u00a0<\/p>\n

<\/p>\n

What makes the worm stand out is its ability to spread itself to other packages by locating a publishable npm token with bypass_2fa set to true, enumerating every package published by the same maintainer, and exchanging a GitHub OIDC token for a per-package publish token to sidestep traditional authentication entirely.<\/p>\n

The TanStack supply chain compromise has been assigned the CVE identifier CVE-2026-45321<\/a>. It carries a CVSS score of 9.6 out of a maximum of 10.0, indicating critical severity. The incident has impacted 42 packages and 84 versions across the TanStack ecosystem.<\/p>\n

\u00abThe attack published malicious versions through the project’s own GitHub Actions release pipeline using hijacked OIDC tokens,\u00bb StepSecurity researcher Ashish Kurmi said.<\/p>\n

\u00abIn an extremely rare escalation, the compromised packages carry valid SLSA Build Level 3 provenance attestations, making this the first documented npm worm that produces validly attested malicious packages. The worm has since spread beyond TanStack to packages from UiPath, DraftLab, and other maintainers.\u00bb<\/p>\n

Besides TanStack, the Mini Shai-Hulud campaign has also spread to several other packages, including some in PyPI –<\/p>\n