A sophisticated worm dubbed “Mini Shai-Hulud” has compromised over 170 packages across the npm and PyPI registries in a widespread supply chain attack, impacting projects with more than 518 million combined downloads and introducing a novel technique to bypass security attestations.
"The attack published malicious versions through the project's own GitHub Actions release pipeline using hijacked OIDC tokens," said Ashish Kurmi, a researcher at StepSecurity. "In an extremely rare escalation, the compromised packages carry valid SLSA Build Level 3 provenance attestations, making this the first documented npm worm that produces validly attested malicious packages."
The campaign, attributed to the threat actor TeamPCP, has impacted 42 TanStack packages, 65 from UiPath, and others from Mistral AI, OpenSearch, and Guardrails AI. The TanStack compromise (CVE-2026-45321), rated critical with a 9.6 CVSS score, involved a chained attack using a pull_request_target misconfiguration and cache poisoning to extract OIDC tokens from the GitHub Actions runner process memory, allowing the attacker to publish packages without stealing npm tokens.
The attack's ability to generate valid SLSA provenance for malicious packages erodes trust in the very systems designed to secure the software supply chain. This incident puts pressure on platforms like GitHub and registries like npm to address architectural weaknesses in CI/CD pipelines, as the financial and operational risk now extends to any project using dependencies from compromised maintainers, potentially affecting billions of dollars in software value.
Multi-Stage Payload Steals Cloud and Crypto Credentials
The core of the attack is a multi-stage credential stealer, often embedded as an obfuscated JavaScript file named "router_init.js". The malware performs extensive profiling of the victim's environment to steal a wide array of sensitive information, including credentials for cloud providers, cryptocurrency wallets, AI tools, and messaging apps. According to security firm SlowMist, the worm is explicitly designed to steal CI/CD keys and crypto wallet information.
Data is exfiltrated through multiple channels, including a domain (filev2.getsession[.]org) that uses the privacy-focused Session messaging service to evade detection. As a fallback, stolen data is also committed to attacker-controlled GitHub repositories. The malware also establishes persistence in popular code editors like VS Code to survive reboots.
A Python variant of the malware, found in the compromised guardrails-ai and mistralai packages, fetches a payload from a remote server that targets password managers like 1Password and Bitwarden. Microsoft's analysis noted this variant contains a destructive branch with a one-in-six chance of deleting all files on systems appearing to be in Israel or Iran.
Worm Spreads Through Hijacked Developer Identities
What makes the Mini Shai-Hulud worm particularly dangerous is its ability to self-propagate. The malware uses stolen GitHub OIDC tokens to mint new npm publish tokens, allowing it to publish malicious versions of other packages maintained by the compromised developer. This technique bypasses the need for traditional authentication or two-factor authentication, creating a rapidly spreading threat.
The attackers have automated this process, creating over 400 malicious repositories with the description "Shai-Hulud: Here We Go Again," a reference to the Dune saga. The worm spoofs commit authors to appear as legitimate applications, further masking its activity.
Security researchers advise all developers to check if any compromised package versions have entered their environments, rotate all potentially exposed credentials, and audit their GitHub Actions OIDC configurations for security weaknesses.
This article is for informational purposes only and does not constitute investment advice.
