Skip to content
Tech News
← Back to articles

Shai Hulud attack ships signed malicious TanStack, Mistral npm packages

2026-05-12 | original
read original more articles
Why This Matters

The recent Shai Hulud attack highlights significant vulnerabilities in the software supply chain, emphasizing the risks of malicious packages that appear legitimate due to valid provenance and attestations. This underscores the urgent need for improved security measures in CI/CD pipelines and package management systems to protect developers and consumers from credential-stealing malware and supply chain attacks.

Key Takeaways

Hundreds of packages across npm and PyPI have been compromised in a new Shai-Hulud supply-chain campaign delivering credential-stealing malware targeting developers.

The attacker hijacked valid OpenID Connect (OIDC) tokens to publish malicious package versions with verifiable provenance attestation (SLSA Build Level 3)

Attributed to the TeamPCP threat group, the attack started with compromising dozens of TanStack and Mistral AI packages but quickly extended to other popular projects, like Guardrails AI, UiPath, and OpenSearch.

The Shai-Hulud campaign emerged last September and had multiple iterations [1, 2, 3], some of them exposing hundreds of thousands of developer secrets in automatically generated GitHub repositories. Among more recently compromised projects are the Bitwarden CLI package and the official SAP packages.

The latest attack wave occurred yesterday with the threat actor publishing multiple malicious packages in the TanStack namespaces on the Node Package Manager (npm), and then spreading to other projects using stolen CI/CD credentials.

Application security company StepSecurity notes that the threat actor published the infected packages via the legitimate CI/CD pipeline, carrying valid SLSA provenance attestations issued by npm's signing infrastructure and "tied to the legitimate TanStack/router Release workflow."

Endor Labs reports over 160 compromised packages on npm, Aikido recorded 373 malicious package-version entries, and Socket tracked 416 compromised package artifacts across npm, the Python Package Index (PyPI), and Composer.

According to TanStack's post-mortem report from TanStack, the attackers chained three vulnerabilities: a risky ‘pull_request-target’ workflow, GitHub Actions cache poisoning, and OIDC token theft from runner memory.

The attackers published 84 malicious versions across 42 TanStack packages that had valid provenance, valid Sigstore attestations, and legitimate GitHub Actions signatures.

From a developer’s perspective, the packages appeared to be cryptographically authentic, and there was no indication of a compromise.

... continue reading

Explore topics: shai hulud tanstack mistral npm pypi
Related:
Protect your enterprise now from the Shai-Hulud worm and npm vulnerability in 6 actionable steps
Compromised Mistral AI and TanStack packages may have exposed GitHub, cloud and CI/CD credentials in 'mini Shai Hulud' malware infection — supply-chain campaign spreads across npm and AI developer ecosystems like wildfire
Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply Chain
Show HN: Safe-install – safer NPM installs with trusted build dependencies
TanStack NPM Packages Compromised

© 2026 GoKawiil

About | Editorial Policy | Contact