Skip to content

Mini Shai-Hulud Supply Chain Attack Compromises 170+ npm Packages Including TanStack and Mistral AI

SecurityWeek · Story 2 of 6

A sophisticated supply chain attack dubbed Mini Shai-Hulud has compromised over 170 packages across the npm and PyPI ecosystems, marking one of the most significant supply chain incidents in recent memory. The hacking group TeamPCP orchestrated the campaign, publishing over 400 malicious package versions within a five-hour window on May 11, 2026.

The attack hit 42 TanStack packages (with millions of weekly downloads), 65 UiPath packages, Mistral AI's core SDK across three distribution channels (core, Azure, GCP), the OpenSearch JavaScript client, over a dozen Squawk packages, and the Guardrails AI PyPI package.

What makes this attack particularly alarming is how the attackers chained three known vulnerability classes: a pull_request_target 'Pwn Request' misconfiguration, GitHub Actions cache poisoning across fork-to-base trust boundaries, and runtime memory extraction of OIDC tokens from GitHub Actions runner processes. This allowed them to produce packages with valid SLSA provenance certificates, making malicious versions indistinguishable from legitimate ones.

The payload is a multi-stage credential stealer that sweeps environment variables, API keys, cloud credentials, cryptocurrency wallets, and for the first time, targets password managers including 1Password and Bitwarden. The worm propagates autonomously by using stolen tokens to publish malicious versions of packages the victim has write access to. It also installs a persistent daemon polling GitHub every minute.

Notably, the malware checks system language and avoids infecting Russian users. On systems with Israel or Iran locales, it attempts to play an MP3 at full volume and delete files on the system. Stolen credentials are exfiltrated through three channels including the decentralized Session network, making takedown significantly harder.

OpenAI confirmed it was affected through the TanStack supply chain. TeamPCP is also selling 450 stolen Mistral AI repositories for $25,000. Developers are urged to audit dependencies, rotate credentials, and review GitHub Actions OIDC configurations.

Analysis
Live

This attack demonstrates that provenance signing alone is insufficient for supply chain security. The attackers weaponized trusted build pipelines themselves. Every developer using TanStack, Mistral AI, or UiPath packages from May 11 should assume their CI/CD credentials are compromised and rotate immediately.

Frequently Asked Questions
How do I check if my project was affected by the Mini Shai-Hulud attack?

Check your package-lock.json or node_modules for versions of TanStack, Mistral AI, UiPath, OpenSearch, or Squawk packages published on or after May 11, 2026. Compare version numbers against the maintainers' advisories. If compromised versions are found, rotate all CI/CD credentials, API keys, and secrets immediately.