Full Report
Detect and mitigate malicious npm packages linked to the latest Mini Shai-Hulud supply chain campaign targeting high-value developer tooling.
Analysis Summary
# Incident Report: Mini Shai-Hulud Supply Chain Campaign (TeamPCP)
## Executive Summary
On May 11, 2026, a coordinated supply chain attack attributed to "TeamPCP" targeted high-value npm packages, including TanStack, UiPath, and Mistral AI. The attackers utilized a sophisticated GitHub Actions cache poisoning technique and OIDC token extraction to publish malicious package versions. The resulting malware acts as a self-propagating worm and credential stealer, featuring a destructive "wiper" payload triggered upon token revocation.
## Incident Details
- **Discovery Date:** May 11, 2026
- **Incident Date:** May 11, 2026
- **Affected Organization:** TanStack, UiPath, Mistral AI, and downstream npm users.
- **Sector:** Software Development / Technology / AI / Enterprise Automation
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 11, 2026
- **Vector:** GitHub Actions Exploitation (`pull_request_target`)
- **Details:** Attackers used a fork-and-PR strategy. They created a fork (`zblgg/configuration`), opened a PR to trigger a vulnerable workflow, and poisoned the GitHub Actions cache with a malicious `pnpm` store.
### Lateral Movement
- **Mechanism:** The malware functions as a self-propagating worm. It uses stolen GitHub OIDC tokens and npm tokens from infected victims to automatically publish poisoned versions of other packages the victim has write access to.
### Data Exfiltration/Impact
- **Impact:** Compromise of `@tanstack/react-router` (12M weekly downloads), `@uipath` enterprise tools, and `@mistralai/mistralai`.
- **Theft:** Massive exfiltration of CI/CD tokens (GitHub, GitLab, CircleCI), Cloud credentials (AWS IMDSv2, GCP, Azure), and HashiCorp Vault secrets.
### Detection & Response
- **Detection:** Identified by security researchers and the npm registry team on May 11.
- **Response Actions:** npm registry began removing malicious versions; security vendors (Wiz) published technical deep-dives to facilitate mitigation.
## Attack Methodology
- **Initial Access:** GitHub Actions `pull_request_target` vulnerability leading to cache poisoning.
- **Persistence:** Installation of `gh-token-monitor` daemon (LaunchAgent on macOS / systemd on Linux).
- **Privilege Escalation:** Extraction of OIDC tokens directly from GitHub Actions runner process memory (`/proc//mem`).
- **Defense Evasion:** Renaming forks to evade searches; obfuscated JS payloads; malware aborts if system language is Russian.
- **Credential Access:** Scraping memory for tokens; targeting cloud provider metadata services (IMDSv2).
- **Discovery:** Scanning for CI/CD environment variables and local config files.
- **Lateral Movement:** Automated "worm" functionality using stolen tokens to infect subsequent npm repositories.
- **Collection:** Gathering tokens for registries, cloud providers, and repositories.
- **Exfiltration:** Triple redundancy: Typosquat domain, Session messenger (decentralized), and GitHub "dead drop" repositories.
- **Impact:** A destructive wiper command (`rm -rf ~/`) is executed if the malware detects that its stolen GitHub token has been revoked.
## Impact Assessment
- **Financial:** High potential cost due to cloud credential theft and secondary breaches.
- **Data Breach:** Secret and token theft affecting potentially thousands of downstream organizations.
- **Operational:** Disruption of CI/CD pipelines and manual remediation required for infected developer machines.
- **Reputational:** High impact for compromised open-source maintainers and enterprise vendors.
## Indicators of Compromise
- **Network Indicators:**
- `git-tanstack[.]com` (C2)
- `*.getsession[.]org` (Exfiltration)
- **File Indicators:**
- `router_init.js` (Obfuscated payload)
- `setup.mjs` (Malicious downloader)
- `com.us.gh-token-monitor` (LaunchAgent/Persistence)
- **Behavioral Indicators:**
- Unexpected `pnpm` cache modifications.
- Rogue `node` processes accessing `/proc/self/mem`.
- Automated creation of "Dune-themed" repositories on GitHub.
## Response Actions
- **Containment:** Revoke all npm and GitHub tokens used in affected environments.
- **Eradication:** Remove malicious npm package versions. Audit and clear GitHub Actions caches.
- **Recovery:** Re-image affected developer workstations. Rotate all cloud and CI/CD secrets.
## Lessons Learned
- **Cache Security:** GitHub Actions caches are shared across branches and can be poisoned by untrusted PRs if not strictly managed.
- **Memory Safety:** Attackers are moving beyond environment variables to scrape OIDC tokens directly from runner memory.
- **Anti-Revocation Tactics:** The use of "wiper" logic as a response to token revocation is a malicious evolution designed to deter security responses.
## Recommendations
- **CI/CD Hardening:** Transition to "pnpm-lock.yaml" integrity checks and avoid `pull_request_target` on untrusted forks.
- **Secrets Management:** Use short-lived credentials and OIDC where possible, but monitor process memory access.
- **Registry Security:** Enable 2FA for all npm publishers and use "provenance" features to verify build origins.