Mini Shai-Hulud Worm Threatens TanStack, Mistral AI, Guardrails AI and Other Packages

TeamPCPa threatening character behind the latter supply chain attack spree, linked to npm vulnerabilities and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of the new Mini Shai-Hulud campaign.

Affected npm packages have been modified to include an obfuscated JavaScript file (“router_init.js”) designed to profile a workstation and launch a complete hacker capable of targeting cloud providers, cryptocurrency wallets, AI tools, messaging apps, and CI systems, including Github Actions, Aikido Step Security, Aikido StepSefe, Sacket Security. Data is exported to “filev2.getsession[.]org” domain.

Using the Session Protocol infrastructure is a deliberate attempt on the part of attackers to evade detection, as the domain is less likely to be blocked within corporate environments, given that it is part of a decentralized, privacy-oriented messaging service. As a fallback option, the encrypted data is committed to attacker-controlled repositories under the author name “claude@users.noreply.github.com” via the GitHub GraphQL API using stolen GitHub tokens.

The malware is also able to establish persistence hooks in Claude Code and Microsoft Visual Studio Code (VS Code) to survive reboots and also kill the hijacker on all IDE launches.

In addition, it includes the gh-token-monitor service to monitor and reissue GitHub tokens, and it injects a malicious GitHub Actions workflow to compile index secrets into a JSON object and upload the data to an external server (“api.masscan[.]cloud”).

TanStack has since tracked down a compromise in the GitHub Actions chained attack involving the “pull_request_target” trigger, GitHub Actions caching, and releasing OIDC token runtime memory from the GitHub Actions runner process. “No npm tokens were stolen, and the npm publish workflow itself was not compromised,” TanStack said.

Specifically, attackers were tested to place a malicious payload on a GitHub fork, inject it into published npm tarballs, and hijack the official “TanStack/router” workflow to publish vulnerable versions using valid SLSA.

What makes the worm stand out is its ability to propagate itself to other packages by obtaining an unpublished npm token with bypass_2fa set to true, listing all packages published by the same maintainer, and exchanging the GitHub OIDC token for each package’s publishing token to discard traditional authentication altogether.

The TanStack supply chain compromise is assigned the CVE identifier CVE-2026-45321. It holds a CVSS score of 9.6 out of 10.0, indicating serious durability. The incident affected 42 packages and 84 versions in the TanStack ecosystem.

“This attack published malicious versions through the project’s GitHub Actions release pipeline using hijacked OIDC tokens,” said StepSecurity researcher Ashish Kurmi.

“Increasingly rare, the corrupted packages carry official SLSA Build Level 3 evidence, making this a well-documented worm that produces legitimately proven malicious packages. This worm has spread beyond TanStack to packages from UiPath, DraftLab, and other maintainers.”

Besides TanStack, the Mini Shai-Hulud campaign has spread to several other packages, including some in PyPI –

• guardrails-ai@0.10.1 (PyPI)
• mistralai@2.4.6 (PyPI)
• @opensearch-project/opensearch@3.5.3, 3.6.2, 3.7.0, and 3.8.0
• @squawk/mcp@0.9.5
• @squawk/weather@0.5.10
• @squawk/flightplan@0.5.6
• @tallyui/connector-medusa@1.0.1, 1.0.2, and 1.0.3
• @tallyui/connector-vendure@1.0.1, 1.0.2, and 1.0.3

Microsoft, in its analysis of the mistralai PyPI malicious package, said that it was designed to download the attacker from a remote server (“83.142.209)[.]194”) which includes a country-conscious mind to avoid Russian-language areas and a “geofenced destructive branch with a 1-in-6 chance of running rm -rf / when the program appears to be in Israel or Iran.”

“The guardrails-ai@0.10.1 compromise is particularly notable because malicious code is used on import,” Socket said. “The package inspects Linux systems, downloads a remote Python artifact from writing to /tmp/transformers.pyz, and executes it with python3 without verifying integrity.”

“This latest work shows the campaign continues to spread across npm and PyPI, with affected packages including search infrastructure, AI tools, developer packages related to aviation, business automation, frontend tooling, and CI/CD-adjacent ecosystems.”