The Mini Shai-Hulud campaign compromised more than 170 reported npm and PyPI packages, exposing how trusted publishing and provenance can still be abused when CI/CD environments are compromised.
A fast-moving software supply-chain campaign dubbed Mini Shai-Hulud compromised more than 170 reported npm and PyPI packages in May 2026, hitting projects tied to TanStack, Mistral AI, UiPath, OpenSearch, Guardrails AI and Squawk while also affecting two OpenAI corporate devices through downstream exposure.
The clearest confirmed breach centered on TanStack, whose maintainers said attackers published 84 malicious versions across 42 @tanstack/* npm packages on May 11, 2026, between 19:20 and 19:26 UTC. The wider campaign then spread across JavaScript and Python package ecosystems, with researchers reporting hundreds of malicious package-version artifacts.
This was not a routine malicious-package upload. The TanStack compromise showed that modern trust systems - including OIDC trusted publishing, Sigstore-style provenance and SLSA attestations - can still produce legitimate-looking malicious releases if attackers gain code execution inside the trusted CI/CD environment itself.
TanStack said the attacker did not steal npm tokens and did not directly compromise the normal npm publish workflow. Instead, the attacker chained three weaknesses: a risky pull_request_target GitHub Actions pattern, cache poisoning across the fork-to-base repository trust boundary, and extraction of an OIDC token from GitHub Actions runner memory.
Malicious pull request path
pull_request_target workflow runs
GitHub Actions cache poisoned
Legitimate release workflow restores cache
Attacker code runs inside trusted CI
OIDC token extracted from runner memory
Malicious npm versions published
Install-time payload steals secrets and spreads
The malicious TanStack packages included a roughly 2.3 MB obfuscated JavaScript payload, commonly identified as router_init.js, and an added optional dependency pointing to a GitHub-hosted @tanstack/setup package. Because npm lifecycle hooks execute automatically during installation, the payload could run when developers or CI systems installed an affected package.
The malware targeted the exact secrets that make modern software delivery work: GitHub tokens, npm tokens, GitHub Actions OIDC material, AWS credentials, GCP credentials, Kubernetes service-account tokens, Vault tokens, SSH keys and local developer configuration files. Researchers also observed persistence attempts through developer-tool locations such as .claude/ and .vscode/, raising concern that simply removing an affected package may not fully clean an infected workstation.
Indicator
Type
Significance
router_init.js
File
Main malicious npm payload reported in TanStack-related packages
tanstack_runner.js
File
Staged payload linked to malicious GitHub dependency
@tanstack/setup
Package pattern
GitHub dependency used to trigger install-time execution
filev2[.]getsession[.]org
Network
Reported exfiltration channel
git-tanstack[.]com
Network
Reported attacker infrastructure and Python payload host
api[.]masscan[.]cloud
Network
Reported command-and-control endpoint
.claude/settings.json
Persistence
Reported Claude Code hook persistence
.vscode/tasks.json
Persistence
Reported VS Code task persistence
The broader campaign was attributed by security researchers to TeamPCP, a threat group associated with earlier open-source supply-chain attacks. The group latest wave carried Dune-themed markers and, in some reports, coercive token-monitoring logic that threatened destructive action if victims revoked attacker-created tokens.
The npm side of the campaign included packages under namespaces such as @tanstack, @uipath, @mistralai, @opensearch-project, @squawk, @draftauth, @draftlab, @tallyui, @beproduct, @mesadev and others. The Python ecosystem was also affected, with malicious versions reported for mistralai==2.4.6 and guardrails-ai==0.10.1.
Counts vary because researchers are counting different things: package names, package versions, artifacts and namespace-level impact. The safest assessment is that TanStack confirmed 42 packages and 84 malicious versions, while the broader campaign involved roughly 170 reported packages and hundreds of malicious package-version artifacts across npm and PyPI.
OpenAI said its corporate environment was affected after two employee devices encountered the compromised TanStack npm ecosystem, according to reporting on the company disclosure. The company said it found no evidence that user data, production systems, intellectual property or deployed software were compromised. It said limited credential material was exfiltrated from a subset of internal repositories accessible to the two impacted employees, and that it rotated affected credentials and code-signing certificates as a precaution.
The incident has renewed scrutiny of GitHub Actions configurations that use pull_request_target, especially workflows that check out untrusted fork code, run dependency installation, or share caches with release workflows. The TanStack attack succeeded because the release workflow later trusted a poisoned cache created in an earlier, attacker-influenced context.
It also challenges the security community's reliance on provenance badges as a standalone trust signal. Provenance can show where a package was built. It cannot prove the build environment was safe.
For defenders, the guidance is blunt: any developer machine or CI runner that installed affected versions should be treated as potentially compromised. Teams should inspect lockfiles, package-manager caches, SBOMs and CI logs; search for router_init.js, tanstack_runner.js, setup.mjs and the @tanstack/setup dependency pattern; and rotate reachable GitHub, npm, cloud, Kubernetes, Vault, SSH and CI/CD secrets.
Security teams should also audit for persistence artifacts in .claude/, .vscode/, macOS LaunchAgents, Linux user systemd services and suspicious GitHub workflow files such as codeql_analysis.yml. Organizations that consume fast-moving open-source packages may also consider release cool-down policies that delay adoption of newly published versions in CI, giving malicious releases time to be detected before they enter production pipelines.
The Mini Shai-Hulud campaign is a warning that the software supply chain's trust model is now a primary target. Attackers are no longer only stealing maintainer passwords or publishing typosquats; they are learning to turn trusted automation itself into the delivery mechanism.
