Full Report
TeamPCP, the threat actor behind the recentsupply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign. The affected npm packages have been modified to include an obfuscated JavaScript file ("router_init.js") that's designed to profile the execution
Analysis Summary
# Incident Report: Mini Shai-Hulud Supply Chain Attack (TeamPCP)
## Executive Summary
TeamPCP launched a coordinated supply chain attack targeting major technology providers including TanStack, Mistral AI, and Guardrails AI through malicious npm and PyPI packages. The "Mini Shai-Hulud" worm used sophisticated GitHub Actions cache poisoning and OIDC token hijacking to publish malicious versions with valid SLSA provenance, effectively bypassing trust-based security controls. The malware profiles environments, steals credentials from cloud and CI/CD tools, and establishes persistence in developer IDEs.
## Incident Details
- **Discovery Date:** May 2026
- **Incident Date:** April – May 2026
- **Affected Organizations:** TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, DraftLab
- **Sector:** Technology / Software Development (DevOps & AI)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Circa May 2026 (ongoing campaign)
- **Vector:** GitHub Actions Supply Chain Compromise
- **Details:** Attackers exploited the `pull_request_target` trigger and GitHub Actions cache poisoning to extract OpenID Connect (OIDC) tokens from the runner memory.
### Lateral Movement
- **Mechanism:** The malware acts as a worm, leveraging stolen GitHub tokens to modify other repositories and publish malicious updates via legitimate release pipelines. It specifically targets CI/CD systems like GitHub Actions to propagate further.
### Data Exfiltration/Impact
- **Credential Theft:** Targeted cloud provider credentials, cryptocurrency wallets, AI tool secrets, and messaging app data.
- **CI/CD Impact:** Serialized repository secrets into JSON objects for exfiltration.
- **Environment Hijacking:** Malicious code was injected into legitimate npm tarballs with valid SLSA Build Level 3 provenance.
### Detection & Response
- **Discovery:** Identified by security firms including Aikido Security, Endor Labs, Socket, and Snyk.
- **Response Actions:** TanStack revoked compromised OIDC tokens and issued a post-mortem; affected packages were flagged/removed from registries; CVE-2026-45321 was assigned.
## Attack Methodology
- **Initial Access:** GitHub Actions runner exploitation (Cache poisoning + OIDC token hijacking).
- **Persistence:** Establish hooks in **Claude Code** and **Microsoft VS Code**; installation of a `gh-token-monitor` service.
- **Defense Evasion:** Use of obfuscated JavaScript (`router_init.js`); exfiltration via decentralized Session Protocol infrastructure; valid SLSA provenance attestations.
- **Credential Access:** Extraction of OIDC tokens from runner memory; theft of GitHub tokens and repo secrets.
- **Discovery:** Environment profiling via JavaScript.
- **Lateral Movement:** Automated spreading to other packages via hijacked GitHub author permissions.
- **Exfiltration:** Primary: `filev2.getsession[.]org`. Fallback: Committing encrypted data to GitHub repos via GraphQL API using stolen tokens.
- **Impact:** Critical (CVSS 9.6). Compromise of 42 packages and 84 versions in the TanStack ecosystem alone.
## Impact Assessment
- **Financial:** Potentially high due to cryptocurrency wallet targeting and cloud resource hijacking.
- **Data Breach:** Exposure of repository secrets, OIDC tokens, and developer credentials.
- **Operational:** Disruption of CI/CD pipelines and the need for manual cleanup of developer IDEs.
- **Reputational:** Significant; first documented case of a worm producing validly attested SLSA malicious packages.
## Indicators of Compromise
- **Network Indicators:**
- `filev2.getsession[.]org`
- `api.masscan[.]cloud`
- **File Indicators:**
- `router_init.js` (inside npm tarballs)
- `setup.mjs`
- **Behavioral Indicators:**
- Unauthorized `pull_request_target` activity from orphaned commits.
- Unexpected creation of `gh-token-monitor` services on developer machines.
- Automated commits from `[email protected]`.
## Response Actions
- **Containment:** Blocked traffic to known C2 domains; revoked compromised GitHub OIDC and personal access tokens.
- **Eradication:** Cleaned official npm and PyPI registries of affected versions; removed malicious hooks from VS Code and Claude Code configurations.
- **Recovery:** Re-publication of clean versions with invalidated cache; updated GitHub Actions workflow permissions.
## Lessons Learned
- **Trust Maturity:** SLSA provenance, while valuable, is not a silver bullet if the build environment (GitHub Actions) itself is compromised.
- **Workflow Security:** The `pull_request_target` trigger remains a high-risk vector if not strictly isolated from secrets and caches.
- **Worm Capability:** Supply chain attacks are evolving from static "typosquatting" to active, self-spreading worms that leverage legitimate infra.
## Recommendations
- **CI/CD Hardening:** Implement the "principle of least privilege" for GitHub GITHUB_TOKEN permissions (set to `contents: read` by default).
- **Cache Isolation:** Be wary of using shared caches in workflows triggered by external actors.
- **IDE Monitoring:** Monitor developer workstations for unauthorized modifications to VS Code or AI coding assistant configurations.
- **Runtime Protection:** Use Bun/Node policies to restrict the execution of unauthorized lifecycle hooks (preinstall/prepare).