Executive Summary
A critical and highly sophisticated supply chain attack campaign, identified as Shai-Hulud (also referred to as "Mini Shai-Hulud"), has compromised over 100 packages in the NPM and PyPI ecosystems. This campaign, attributed to the TeamPCP threat group, leverages hijacked CI/CD secrets to propagate a self-replicating worm that exfiltrates credentials, secrets, and installs persistent malware on both developer endpoints and CI environments. The attack is distinguished by its technical complexity, including the use of valid SLSA Build Level 3 provenance, advanced memory scraping, multi-layered obfuscation, and destructive capabilities. High-profile projects such as TanStack, UiPath, and DraftLab are among those affected. The campaign demonstrates a new level of automation and reach in software supply chain attacks, posing a severe risk to organizations and developers globally.
Threat Actor Profile
The Shai-Hulud campaign is attributed to the TeamPCP threat group, a highly capable adversary with a history of targeting open-source software supply chains. The group demonstrates deep technical expertise in CI/CD exploitation, credential harvesting, and malware obfuscation. Their operational security is notable, using Dune-themed commit messages and branches, and leveraging legitimate build pipelines to sign malicious packages with valid provenance. The attacker’s infrastructure includes the voicproducoes GitHub account (ID: 269549300), and they have shown a willingness to escalate to destructive actions, as evidenced by the inclusion of a ransomware-like wipe routine triggered by npm token revocation.
Technical Analysis of Malware/TTPs
The Shai-Hulud attack chain begins with the compromise of a maintainer’s CI/CD environment, typically via hijacked OIDC tokens in GitHub Actions. The attacker forks legitimate repositories (such as TanStack/router), injects a malicious payload (notably tanstack_runner.js or router_init.js), and publishes a trojanized package (e.g., @tanstack/setup) using the victim’s own pipeline. The worm then executes a multi-stage payload with the following capabilities:
The malware scrapes the memory of the GitHub Actions runner process (/proc/{pid}/mem) to extract all secrets, including those masked by the CI system. It targets over 100 file paths for credential harvesting, including cloud provider keys, SSH keys, developer tool tokens, AI tool credentials, cryptocurrency wallets, VPN configurations, and messaging app secrets. The worm then enumerates all packages controlled by the compromised maintainer and autonomously publishes infected versions, enabling rapid, exponential propagation across the ecosystem.
Persistence is achieved by installing hooks in popular IDEs (such as VS Code and Claude Code) and by creating OS-level services (using systemd on Linux and LaunchAgents on macOS). The malware exfiltrates data via encrypted channels to Session Protocol CDN endpoints (notably filev2.getsession.org) and through the GitHub GraphQL API using dead-drop commits. The payload is heavily obfuscated, employing three layers: an obfuscator.io string table, a custom cipher, and AES-256-GCM encryption, with the final payload requiring the Bun runtime for decryption and execution.
A unique and dangerous feature is the creation of npm tokens with the description IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner. If these tokens are revoked, the malware triggers a destructive wipe routine, effectively acting as ransomware.
Exploitation in the Wild
The campaign has resulted in the publication of at least 84 malicious versions across 42 TanStack packages, with similar propagation observed in UiPath, DraftLab, and other projects. On PyPI, packages such as mistralai (2.4.6) and guardrails-ai (0.10.1) have been confirmed as compromised. All secrets present in affected CI/CD workflows—including npm, GitHub, and cloud provider tokens—are considered compromised. Developer machines that executed npm install or similar commands with infected packages are at high risk of persistent compromise and credential theft. The campaign’s worm-like propagation has enabled it to rapidly infect a broad swath of the open-source ecosystem, with global impact across software development, DevOps, cloud infrastructure, AI/ML, and cryptocurrency sectors.
Victimology and Targeting
The Shai-Hulud campaign targets organizations and individuals involved in software development, particularly those relying on open-source packages from NPM and PyPI. The attack is indiscriminate in its propagation, but the highest risk is to maintainers of popular packages, CI/CD environments, and developer endpoints with access to sensitive credentials. The campaign has affected organizations and developers globally, with a concentration in the US, EU, and APAC regions due to the widespread use of the compromised packages. Sectors most at risk include cloud infrastructure, DevOps, AI/ML, and cryptocurrency, as the malware specifically targets credentials and secrets associated with these domains.
Mitigation and Countermeasures
Immediate action is required to contain and remediate the Shai-Hulud supply chain attack. Organizations should audit all dependencies for the presence of compromised package versions (see the complete list below and monitor the StepSecurity OSS Security Feed for updates). Search for the presence of router_init.js or similar artifacts in node_modules and lockfiles. Downgrade to the last known safe versions and perform a clean reinstall of all dependencies.
All secrets (npm, GitHub, cloud, SSH, etc.) on any system or CI runner that installed compromised packages must be rotated immediately. Do not revoke npm tokens with the ransom description before isolating and imaging the affected machine, as this may trigger destructive actions.
Persistence mechanisms must be removed by deleting .claude/settings.json, .vscode/tasks.json, .claude/router_runtime.js, .claude/setup.mjs, .vscode/setup.mjs, and any OS-level services such as ~/Library/LaunchAgents/com.user.gh-token-monitor.plist (macOS) or ~/.config/systemd/user/gh-token-monitor.service (Linux). Audit GitHub Actions workflows for injected codeql_analysis.yml files and review logs for suspicious activity, including outbound connections to known C2 domains (api.masscan.cloud, filev2.getsession.org, git-tanstack.com, seed1.getsession.org).
Network-level blocking of C2 domains is recommended. Monitor for commits or branches with Dune-themed names and for activity by claude@users.noreply.github.com. Employ endpoint detection and response (EDR) solutions capable of identifying memory scraping and unauthorized credential access.
References
StepSecurity: Mini Shai-Hulud Is Back Expel: Mini Shai-Hulud Cross-Ecosystem Supply Chain Worm OX Security: Shai-Hulud Malware Hits 170+ npm & PyPi Packages Orca Security: TanStack & 160+ npm Packages Compromised NHS Digital Cyber Alert CC-4781 FalconFeeds: Shai-Hulud Analysis Trend Micro: NPM Supply Chain Attack Arctic Wolf: Mini Shai-Hulud Supply Chain Malware Attack GitHub Issue #7383 (TanStack)
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their supply chain. Our advanced automation and threat intelligence capabilities empower security teams to proactively identify and respond to emerging threats in the software ecosystem. For more information or to discuss your organization’s exposure to supply chain attacks, we are happy to answer questions at ops@rescana.com.
