Mini Shai-Hulud Supply Chain Worm: 170+ Compromised Packages Across TanStack, Mistral AI, Guardrails AI, UiPath

TeamPCP threat group deployed a self-propagating credential-stealing worm ('Mini Shai-Hulud') compromising 170+ npm and PyPI packages on May 11, 2026. Affected ecosystems include: (1) TanStack (42 packages, incl. React Router with 12M+ weekly downloads), (2) UiPath (65 packages), (3) Mistral AI SDK (npm and PyPI), (4) Guardrails AI (PyPI), (5) OpenSearch JavaScript client, (6) Squawk packages (87 namespaces). The malware propagated via GitHub Actions workflow exploitation (pull_request_target abuse), bypassed two-factor authentication using OIDC token scraping, and embedded itself in developer tool configurations (.vscode, .claude).

Supply chain compromise via CI/CD pipeline hijacking: (1) Attackers exploit overly permissive pull_request_target GitHub Actions workflows, (2) Steal short-lived OIDC tokens for npm publishing, (3) Inject malware into package code, (4) Self-propagate by stealing credentials and publishing to downstream projects, (5) Persist via developer tool config files (.vscode, .claude folders), (6) Exfiltrate credentials via anonymous messaging app (Session) to avoid detection.

Primarily JavaScript/Node.js and Python development ecosystems; affects downstream enterprises using React (via TanStack Router), UiPath RPA, Mistral AI integrations, and Guardrails AI model monitoring. Estimated impact: hundreds of thousands of developers; developers are advised to revoke all connected credentials (AWS, Google Cloud, GitHub, Kubernetes, HashiCorp Vault).

Immediate: (1) Revoke all npm and GitHub tokens, AWS/GCP credentials, Kubernetes service accounts, and SSH keys touched by developers who downloaded affected packages on May 11, (2) Audit .vscode and .claude configuration files for unauthorized entries, (3) Scan package-lock.json and requirements.txt files for compromised versions, (4) Enable require approval for pull_request_target workflows, (5) Enforce short-lived OIDC tokens with minimal scope. Medium-term: (1) Adopt Software Bill of Materials (SBOM) scanning and signed artifacts, (2) Use package provenance features (e.g., npm provenance) to verify publisher identity, (3) Implement repository-level access controls and dependency pinning, (4) Monitor for extortion threats (the malware includes a dead-man's-switch that threatens to wipe home directories if victims revoke tokens).