TeamPCP, the group responsible for a recent wave of supply chain attacks, has been connected to the tampering of npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a new Mini Shai-Hulud campaign.
The compromised npm packages were altered to contain a hidden JavaScript file (“router_init.js”) that profiles the system it runs on and activates a powerful credential stealer. This stealer targets cloud services, cryptocurrency wallets, AI tools, messaging platforms, and CI/CD systems like GitHub Actions. Multiple security firms—including Aikido Security, Endor Labs, SafeDep, Socket, StepSecurity, and Snyk—report that stolen data is sent to the domain “filev2.getsession[.]org.”
Attackers chose the Session Protocol infrastructure intentionally to avoid detection, since this domain belongs to a decentralized, privacy-focused messaging service and is unlikely to be blocked in corporate networks. As a backup method, encrypted stolen data is pushed to attacker-controlled GitHub repositories under the username “claude@users.noreply.github.com” using the GitHub GraphQL API with hijacked GitHub tokens.
The malware also sets up persistence mechanisms in Claude Code and Microsoft Visual Studio Code (VS Code), ensuring the stealer runs every time these development tools are opened, even after system restarts.
Additionally, it installs a “gh-token-monitor” service to continuously track and re-exfiltrate GitHub tokens, and injects two rogue GitHub Actions workflows that collect repository secrets, package them into JSON, and upload them to an external server (“api.masscan[.]cloud”).
Unlike the earlier SAP wave—where compromised packages used a preinstall hook to trigger the infection—the latest TanStack cluster uses a different tactic. It includes a JavaScript file inside the package tarball and adds an optional dependency pointing to a GitHub-hosted package. That GitHub dependency contains a “prepare” lifecycle hook that runs the JavaScript payload using the Bun runtime.
The Mistral AI package modifications, however, follow the earlier method: the contents of the “package.json” file are replaced with a preinstall hook that calls “node setup.mjs,” which downloads Bun and executes the same malicious JavaScript code.
TanStack has traced the breach to a multi-step GitHub Actions attack involving the “pull_request_target” trigger, GitHub Actions cache poisoning, and runtime extraction of an OIDC token from the GitHub Actions runner process. “No npm tokens were stolen, and the npm publish workflow itself was not compromised,” TanStack stated.
Specifically, attackers are believed to have placed the malicious code in a GitHub fork via an orphaned commit, embedded it into published npm tarballs, and then hijacked the project’s legitimate “TanStack/router” workflow to release the tampered versions with valid SLSA provenance.
This attack is notable because it exploits trusted publishing: attacker-controlled code running inside a workflow can use its OIDC permissions to generate a short-lived publish token during the build and use it to publish packages without ever stealing an npm token.
What makes this worm particularly dangerous is its ability to spread to other packages by finding a publishable npm token with “bypass_2fa” set to true, listing all packages published by the same maintainer, and swapping a GitHub OIDC token for a per-package publish token—completely bypassing traditional authentication.
“The orphaned commit also triggered a GitHub Actions workflow run against the legitimate TanStack/router workflow surface,” said Endor Labs researcher Peyton Kennedy. “Because the repository’s OIDC trusted publisher configuration granted trust at the repository level—rather than being scoped to a specific protected branch and workflow file—the workflow run triggered by that commit was able to request a valid short-lived npm publish token.”
The TanStack supply chain breach has been assigned CVE-2026-45321, with a CVSS score of 9.6 out of 10.0, indicating critical severity. The incident impacted 42 packages and 84 versions across the TanStack ecosystem.
“The attack published malicious versions through the project’s own GitHub Actions release pipeline using hijacked OIDC tokens,” said StepSecurity researcher Ashish Kurmi.
“In an extremely rare escalation, the compromised packages carry valid SLSA Build Level 3 provenance attestations—making this the first documented npm worm that produces validly attested malicious packages. The worm has since spread beyond TanStack to packages from UiPath, DraftLab, and other maintainers.”
Besides TanStack, the Mini Shai-Hulud campaign has also infected several other packages, including some on PyPI:
- guardrails-ai@0.10.1 (PyPI)
- mistralai@2.4.6 (PyPI)
- @opensearch-project/opensearch@3.5.3, 3.6.2, 3.7.0, and 3.8.0
- @squawk/mcp@0.9.5
- @squawk/weather@0.5.10
- @squawk/flightplan@0.5.6
- @tallyui/connector-medusa@1.0.1, 1.0.2, and 1.0.3
- @tallyui/connector-vendure@1.0.1, 1.0.2, and 1.0.3
According to OX Security data, the incident has impacted over 170 packages across npm and PyPI, with more than 518 million cumulative downloads. At least 400 repositories containing stolen credentials were created during the attack wave. All of these repositories include the string “Shai-Hulud: Here We Go Again.”
Microsoft’s analysis of the malicious mistralai PyPI package revealed it is designed to download a credential stealer from a remote server (“83.142.209[.]194”). This stealer includes country-aware logic to avoid Russian-language systems and a “geofenced destructive branch” that has a 1-in-6 chance of executing “rm -rf /” when the system appears to be located in Israel or Iran.
“The guardrails-ai@0.10.1 compromise is especially concerning because the malicious code runs immediately upon import,” Socket noted. “The package checks for Linux systems, downloads a remote Python artifact, writes it to /tmp/transformers.pyz, and executes it with python3—all without any integrity verification.”
“This latest activity demonstrates the campaign continues to spread across both npm and PyPI, with affected packages spanning search infrastructure, AI tooling, aviation-related developer packages, enterprise automation, frontend tooling, and CI/CD-adjacent ecosystems.”
