Mini Shai-Hulud Worm Subverts Supply Chain Trust: 169 npm and PyPI Packages Carry Valid SLSA Attestations

The TeamPCP threat group has compromised over 160 open-source packages, including TanStack and Mistral AI, by abusing OIDC trusted publishing to inject malicio…

Mini Shai-Hulud Worm Subverts Supply Chain Trust: 169 npm and PyPI Packages Carry Valid SLSA Attestations

On May 11, 2026, the threat group TeamPCP launched a coordinated campaign against the npm and PyPI ecosystems, compromising over 160 open-source packages, including those from TanStack, Mistral AI, and UiPath. The payloads propagate as a worm through breached CI/CD pipelines, exploiting GitHub Actions’ OIDC trusted publishing to release malicious versions that carry valid SLSA Build Level 3 provenance attestations. This creates a security paradox: the very system designed to verify supply chain integrity now serves as perfect camouflage, as standard defenses fail to detect anomalies in packages originating from signed, legitimate workflows.

«In an extremely rare escalation, the compromised packages carry valid SLSA Build Level 3 provenance attestations, making this the first documented npm worm that produces validly attested malicious packages.»
— Ashish Kurmi, StepSecurity
Key Takeaways
  • TeamPCP has compromised over 160 package names across npm and PyPI, with nearly 370 malicious versions detected by Aikido.
  • The attack exploits GitHub Actions OIDC trusted publishing, extracting tokens from runner memory via pnpm cache poisoning.
  • Malicious packages feature valid SLSA Build Level 3 provenance because they were published through the projects' own legitimate pipelines.
  • The payload includes a dead-man's switch that triggers a local wiper if the generated npm token is revoked, with polling occurring every 60 seconds.

How the Worm Operates: From Repository Forks to Poisoned Caches

The initial vector exploits the combination of repository forks and GitHub Actions workflows configured with pull_request_target. The attacker creates a renamed fork and injects an orphaned commit that modifies the pnpm cache, triggering workflow execution on the project's legitimate surface. From there, the malicious code extracts OIDC tokens directly from the runner's memory by reading /proc/<pid>/mem, gaining the credentials required to publish packages via trusted publishing.

According to Peyton Kennedy of Endor Labs, «The orphaned commit additionally triggered a GitHub Actions workflow run against the legitimate TanStack/router workflow surface». Once access is established, the worm exchanges the OIDC token for an npm publishing token—enabling bypass_2fa—and enumerates all packages associated with the maintainer to facilitate self-propagation. The infection spreads without stealing long-lived tokens, instead abusing the identity federation mechanism between GitHub and the registry.

Inside the compromised npm tarballs, Wiz identified an obfuscated JavaScript file of approximately 2.3 MB named router_init.js. The payload profiles the target environment and executes a multi-stage credential stealer capable of harvesting CI/CD tokens from GitHub Actions, GitLab, and CircleCI, as well as cloud credentials for AWS IMDSv2, GCP, Azure, Kubernetes accounts, HashiCorp Vault tokens, and registry secrets.

To ensure persistence, the malware installs a service named gh-token-monitor. This is achieved via a LaunchAgent on macOS and systemd on Linux, ensuring the credential stealer remains active after system reboots to maintain its connection with the command-and-control infrastructure.

Session Protocol and Geofencing: The Payload's Dual Nature

Data exfiltration does not rely on centralized servers that are easily taken down. Instead, it utilizes the Session Protocol, a peer-to-peer network resistant to takedowns. Stolen data is routed through the filev2.getsession[.]org domain, attacker-controlled GitHub repositories, and the api.masscan[.]cloud domain. The use of Session makes interrupting communications significantly more difficult without coordinated action against geographically distributed nodes.

In the PyPI ecosystem, packages associated with mistralai and guardrails-ai download an additional payload from git-tanstack[.]com/tmp/transformers.pyz. This code activates only on Linux systems and deliberately avoids environments configured with the Russian language. Crucially, it includes a geofenced destructive branch targeting Israel and Iran. In these regions, the payload executes rm -rf / with a 1-in-6 probability, effectively transforming the infostealer into a wiper.

Specifically, version 0.10.1 of the guardrails-ai package executes malicious code immediately upon Python importation by writing the /tmp/transformers.pyz file. This confirms that the threat is not limited to the installation phase but activates the moment the library is loaded into the execution environment, significantly broadening the attack surface.

The Provenance Paradox: SLSA Level 3 as a Mask for Malware

The defining characteristic of the Mini Shai-Hulud campaign is that the compromised packages possess perfectly valid SLSA Build Level 3 provenance attestations. Because the malware was published through the projects' legitimate release pipelines, the cryptographic signatures and audit logs show no technical anomalies. The trust system remains intact even though the underlying workflow has been subverted.

Ashish Kurmi of StepSecurity described the event as «the first documented npm worm that produces validly attested malicious packages», noting that «the attack published malicious versions through the project's own GitHub Actions release pipeline using hijacked OIDC tokens». The formal validity of the provenance becomes a double-edged sword: it reassures users while hiding the payload beneath a layer of compliance.

Avital Harel of Upwind characterized the campaign as part of a «broader shift in supply chain attacks from isolated package compromise to identity-driven propagation through trusted CI/CD infrastructure». According to Raphael Silva of Aikido Security, «The important part is not only the number of packages, but where they run. These packages are likely to be installed in local developer environments, CI jobs, release workflows, and internal build systems». The impact is magnified because the malicious code infiltrates the most sensitive nodes of the production chain.

Aikido detected nearly 370 malicious versions distributed across more than 160 package names, with total cumulative downloads for the affected packages estimated to exceed 518 million. TanStack was hit particularly hard, with over 40 packages and 80 versions impacted; the @tanstack/react-router package alone sees nearly 12 million weekly downloads. On the PyPI front, the mistralai package accumulated approximately 86,000 downloads in the seven days prior to being quarantined.

Mitigation and Response Strategies

  • Verify code provenance within trusted workflows: DevOps teams must audit every step of the CI/CD pipeline, including packages loaded into the pnpm cache. Do not trust SLSA attestations blindly if the runner environment may have been compromised.
  • Isolate build environments and limit OIDC token duration: GitHub Actions runners should operate in sandboxes with protected memory and minimal process access. Tokens should have the shortest possible expiration windows to reduce the opportunity for extraction from /proc.
  • Monitor lifecycle scripts and library imports: Security tools must track code execution at the time of import, not just during npm install, as payloads like those in guardrails-ai activate when the module is loaded.
  • Do not revoke tokens without first isolating the system: The dead-man's switch checks for token revocation every 60 seconds and triggers rm -rf ~/ if the token is invalid. Before deactivating credentials, the affected machine must be isolated and persistence mechanisms (macOS LaunchAgent or Linux systemd) must be removed.

Mini Shai-Hulud is more than a simple credential theft; it is a demonstration that the modern supply chain has shifted the risk boundary from code vulnerabilities to the identities that compile it. As long as the primary response to compromise is token revocation rather than internal pipeline behavior verification, attackers will continue to turn trust architectures against those who build them.

Impact Assessment and FAQ

How can a package have valid SLSA provenance if it contains malware?

SLSA Build Level 3 provenance certifies that a package was generated by a specific pipeline and that the source matches a known commit. If an attacker compromises the legitimate CI/CD workflow, the malicious package is issued from that same pipeline with the same attestations. The signature is technically valid, but the process that produced it was subverted.

Has the dead-man's switch been triggered on real systems?

There is currently no public evidence that the automated destruction mechanism has caused widespread damage. However, Wiz and The Hacker News confirm the script is active in the payload and will wipe data if the malware-generated token is revoked, making immediate reaction without isolation dangerous.

Did the attack compromise the central npm or PyPI servers?

No. The campaign targeted individual maintainers and their GitHub Actions workflows, not the registry infrastructure itself. npm has removed the malicious versions, and PyPI has quarantined the affected packages, but the central servers remain secure.

Information verified against cited sources and updated at the time of publication.

Sources