**TeamPCP**'s latest campaign, dubbed Mini Shai-Hulud, showcases an evolution in supply chain attack tactics, impacting the integrity of software development ecosystems. ### Credential Stealing and Evasion Techniques The compromised **npm** packages have been modified to include an obfuscated JavaScript file ("router_init.js"). This malicious script profiles the execution environment and deploys a comprehensive credential stealer. The stealer targets cloud providers, cryptocurrency wallets, AI tools, messaging apps, and CI systems like Github Actions. Reports from **Aikido Security**, **Endor Labs**, **SafeDep**, **Socket**, **StepSecurity**, and **Snyk** detail the attack, noting that exfiltrated data is sent to "filev2.getsession[.]org". The attackers are using Session Protocol infrastructure, likely to evade detection by blending in with legitimate traffic from the privacy-focused messaging service. As a backup, the encrypted data is also committed to attacker-controlled repositories under the author name "[email protected]" via the GitHub GraphQL API, using stolen GitHub tokens. ### Persistence and Lateral Movement The malware demonstrates persistence by establishing hooks in **Claude Code** and **Microsoft Visual Studio Code** (**VS Code**), ensuring the stealer re-executes on every launch of the IDEs. A `gh-token-monitor` service is installed to continuously monitor and re-exfiltrate GitHub tokens. Furthermore, malicious GitHub Actions workflows are injected to serialize repository secrets into a JSON object and upload the data to an external server ("api.masscan[.]cloud"). ### Evolving Infection Vectors Unlike previous attacks targeting **SAP** packages, this campaign employs a new strategy. Instead of preinstall hooks, the malicious JavaScript file is included within the package tarball, along with an optional dependency pointing to a GitHub-hosted package. This GitHub dependency contains a `prepare` lifecycle hook that executes the JavaScript payload using the **Bun** runtime. For **Mistral AI** packages, the attack reverts to the earlier approach, replacing the contents of the `package.json` file with a preinstall hook to invoke `node setup.mjs`, which downloads **Bun** and runs the same JavaScript malware. ### CVE-2026-45321: Critical Vulnerability in TanStack The **TanStack** supply chain compromise is tracked as **CVE-2026-45321**, with a critical CVSS score of 9.6 out of 10.0. The incident has impacted 42 packages and 84 versions across the **TanStack** ecosystem. **TanStack** traced the compromise to a chained GitHub Actions attack involving the `pull_request_target` trigger, GitHub Actions cache poisoning, and runtime memory extraction of an OIDC token from the GitHub Actions runner process. According to **TanStack**, no **npm** tokens were stolen, and the **npm** publish workflow itself was not directly compromised.  **StepSecurity** researcher Ashish Kurmi highlighted that the malicious versions were published through the project's own GitHub Actions release pipeline using hijacked OIDC tokens. Notably, the compromised packages carry valid SLSA Build Level 3 provenance attestations, making this the first documented npm worm to produce validly attested malicious packages. The worm has since spread beyond **TanStack** to packages from **UiPath**, DraftLab, and other maintainers. ### Abusing Trusted Publishing and OIDC Tokens The attack leverages trusted publishing, enabling attacker-controlled code running within a workflow to use its OIDC permissions to mint a short-lived publish token during the build and use it to publish the packages without needing to steal an **npm** token. The worm spreads by locating a publishable **npm** token with `bypass_2fa` set to true, enumerating packages published by the same maintainer, and exchanging a GitHub OIDC token for a per-package publish token. **Endor Labs** researcher Peyton Kennedy explained that the orphaned commit triggered a GitHub Actions workflow run against the legitimate **TanStack/router** workflow surface. Because the repository's OIDC trusted publisher configuration granted trust at the repository level rather than scoped to a specific protected branch and workflow file, the workflow run triggered by that commit could request a valid short-lived **npm** publish token. ### Dead-Man's Switch and Destructive Payload A new tactic introduced in the obfuscated JavaScript malware is the installation of a dead-man's switch. This switch uses a shell script to periodically check if an **npm** token created by the malware is revoked by polling the `api.github.com/user` endpoint every 60 seconds. The token is described as "IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner." If the developer revokes the token from their **npm** dashboard, the script triggers a destructive routine that executes `rm -rf ~/` on the infected machine, effectively turning it into wiper malware. Developers are advised not to revoke the **npm** tokens before isolating and imaging the system. ### Broader Implications and Defense Strategies **Upwind** security research lead Avital Harel emphasized that this campaign reflects a shift in supply chain attacks toward identity-driven propagation through trusted CI/CD infrastructure. With attackers gaining access to publishing workflows and pipeline identities, the software delivery process becomes the distribution mechanism. Defending against this requires enhanced behavioral visibility during installs and builds. ### Impacted Packages Besides **TanStack**, the Mini Shai-Hulud campaign has spread to the following packages: * [email protected] (PyPI) * [email protected] (PyPI) * @opensearch-project/[email protected], 3.6.2, 3.7.0, and 3.8.0 * @squawk/[email protected] * @squawk/[email protected] * @squawk/[email protected] * @tallyui/[email protected], 1.0.2, and 1.0.3 * @tallyui/[email protected], 1.0.2, and 1.0.3 **OX Security** reports that the incident has affected over 170 packages spanning both the **npm** and **PyPI** registries, with more than 518 million cumulative downloads. Over 400 repositories with stolen credentials have been created as part of the attack wave, all containing the string "Shai-Hulud: Here We Go Again." **Google**-owned Wiz reported that the payload also exfiltrates stolen credentials via a third redundant channel.