Mini Shai-Hulud Worm Spreads Across npm and PyPI, Hits TanStack, Mistral AI, and More
A threat actor tracked as TeamPCP is behind a widening supply chain attack campaign called Mini Shai-Hulud, which has compromised packages across both the npm and PyPI ecosystems belonging to TanStack, Mistral AI, Guardrails AI, OpenSearch, and UiPath, among others.
The compromised packages contain an obfuscated JavaScript file named "router_init.js" that profiles the execution environment and deploys a credential stealer targeting cloud providers, cryptocurrency wallets, AI tooling, messaging applications, and CI/CD systems. Stolen data is exfiltrated to "filev2.getsession[.]org" — a domain leveraging Session Protocol infrastructure deliberately chosen because enterprise environments are unlikely to block traffic to a legitimate decentralized messaging service. As a fallback, encrypted data is committed to attacker-controlled GitHub repositories using stolen tokens via the GitHub GraphQL API.
The malware establishes persistence hooks in both Claude Code and VS Code, re-executing the stealer on every IDE launch. It also installs a gh-token-monitor service to continuously harvest GitHub tokens and injects two malicious GitHub Actions workflows that serialize repository secrets into JSON and upload them to "api.masscan[.]cloud."
What makes this campaign particularly dangerous is the worm's self-propagation mechanism. Once it locates an npm publish token with bypass_2fa enabled, it enumerates every package published by the same maintainer and exchanges a GitHub OIDC token for per-package publish tokens, sidestepping traditional authentication entirely. In the TanStack compromise, attackers chained a "pull_request_target" trigger exploit with GitHub Actions cache poisoning and runtime memory extraction of OIDC tokens from the runner process to hijack the project's legitimate release pipeline.
The result is what researchers at StepSecurity are calling the first documented npm worm that produces validly attested malicious packages — the compromised TanStack versions carried valid SLSA Build Level 3 provenance attestations, meaning standard supply chain verification tooling would have flagged them as trusted. The TanStack incident alone impacted 42 packages and 84 versions, and has been assigned CVE-2026-45321 with a CVSS score of 9.6.
The campaign has spread well beyond TanStack. Affected packages include guardrails-ai 0.10.1 and mistralai 2.4.6 on PyPI, multiple versions of @opensearch-project/opensearch, and packages from Squawk, TallyUI, and DraftLab on npm.
Microsoft's analysis of the malicious mistralai PyPI package found it downloads a credential stealer from 83.142.209[.]194 with country-aware logic that avoids Russian-language environments and includes a geofenced destructive branch with a one-in-six chance of executing "rm -rf /" on systems geolocated to Israel or Iran.
The guardrails-ai compromise is particularly aggressive — the malicious code executes on import, checks for Linux systems, downloads a remote Python artifact from "git-tanstack.com/transformers.pyz," writes it to /tmp, and runs it without any integrity verification.
The Bigger Picture
This campaign represents a fundamental escalation in supply chain attacks. Valid SLSA provenance on malicious packages means traditional verification workflows are no longer sufficient on their own. Teams should immediately audit dependencies against the known compromised package versions, rotate any GitHub tokens or cloud credentials on systems where affected packages were installed, review GitHub Actions workflows for unauthorized modifications, and inspect CI/CD runners for unexpected OIDC token activity. Any environment that imported guardrails-ai 0.10.1 or mistralai 2.4.6 should be treated as fully compromised.
