Full Report
Hundreds of packages across npm and PyPI have been compromised in a new Shai-Hulud supply-chain campaign delivering credential-stealing malware targeting developers. [...]
Analysis Summary
# Incident Report: Shai-Hulud Supply-Chain Campaign (May 2026 Wave)
## Executive Summary
The Shai-Hulud supply-chain campaign, attributed to the TeamPCP threat group, compromised hundreds of npm and PyPI packages, including high-profile projects like TanStack and Mistral AI. By exploiting GitHub Action workflow vulnerabilities, the attackers published malicious package versions carrying valid SLSA Build Level 3 provenance attestations, making them appear legitimate. The primary objective was the theft of developer credentials and cloud secrets, using the Session P2P network for stealthy exfiltration.
## Incident Details
- **Discovery Date:** May 11, 2026
- **Incident Date:** May 11, 2026 (Latest wave)
- **Affected Organization:** TanStack, Mistral AI, SAP, Guardrails AI, UiPath, OpenSearch, and others.
- **Sector:** Software Development / Technology
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 11, 2026
- **Vector:** Exploitation of `pull_request-target` workflows and GitHub Actions cache poisoning.
- **Details:** Attackers used an "orphaned commit" trick in a forked repository to inject code that stayed accessible via GitHub’s internal storage. They chained this with OIDC token theft from runner memory.
### Lateral Movement
- **Details:** The malware used stolen GitHub and npm credentials to enumerate other packages linked to the compromised maintainers. It then automatically modified tarballs to inject payloads and republish malicious versions of those packages.
### Data Exfiltration/Impact
- **Details:** Credential-stealing payloads targeted GitHub PATs, AWS/Vault tokens, Kubernetes credentials, and SSH keys. Exfiltration was conducted via the Session P2P network to mask traffic as encrypted messenger data.
### Detection & Response
- **Discovery:** Identified by security firms including StepSecurity, Endor Labs, and Socket after suspicious publishing activity.
- **Response Actions:** Affected packages were flagged/removed; TanStack issued a post-mortem; security vendors released lists of over 400 compromised package versions.
## Attack Methodology
- **Initial Access:** Exploiting risky GitHub Action configurations (`pull_request-target`) and CI/CD cache poisoning.
- **Persistence:** Injects malicious hooks into Claude Code and VS Code auto-run tasks to survive package uninstallation.
- **Privilege Escalation:** Memory scraping of GitHub Actions processes to harvest high-privilege OIDC tokens.
- **Defense Evasion:** Valid SLSA Build Level 3 attestations; exfiltration via Session P2P network; use of orphaned Git commits.
- **Credential Access:** Scraping over 100 file paths for cloud providers, cryptocurrency tokens, and messaging apps.
- **Discovery:** Enumeration of maintainer-linked packages for self-propagation.
- **Lateral Movement:** Self-propagation across the CI/CD pipeline using stolen publish tokens.
- **Collection:** Automated scanning of `.env` files, Git configs, and IDE directories.
- **Exfiltration:** P2P messenger protocol (Session).
- **Impact:** Potential for total cloud environment takeover and data destruction (via "CanisterWorm" wiper if specific locales were matched).
## Impact Assessment
- **Financial:** High (Potential for unauthorized cloud resource usage and remediation costs).
- **Data Breach:** Massive theft of developer secrets, CI/CD tokens, and cloud infrastructure credentials.
- **Operational:** Disruption of major open-source ecosystems (TanStack, Mistral) and enterprise software supply chains (SAP).
- **Reputational:** Degradation of trust in "provenance" and "signed" package metadata.
## Indicators of Compromise
- **Network:**
- api[.]masscan[.]cloud
- git-tanstack[.]com
- *[.]getsession[.]org
- **File:**
- router_runtime.js
- setup.mjs
- **Behavioral:** Unauthorized npm publish events from legitimate CI/CD runners; unexpected VS Code task modifications.
## Response Actions
- **Containment:** Revocation of compromised npm and GitHub tokens; blocking of C2 domains at the DNS level.
- **Eradication:** Manual auditing of IDE directories to remove persistent hooks; rotation of all secrets accessed on developer machines.
- **Recovery:** Restoration of legitimate package versions and enforcement of stricter GitHub Action permissions.
## Lessons Learned
- **Key Takeaways:** Cryptographic signatures (SLSA) are not a guarantee of safety if the build environment itself is compromised.
- **Weaknesses:** Reliance on default GitHub Action permissions and the "pull_request-target" trigger provided an easy path for token theft.
## Recommendations
- **Prevention:** Enforce `lockfile-only` installs to prevent silent updates.
- **Hardening:** Use OpenID Connect (OIDC) with granular "claims" to limit token scope; audit GitHub Actions for `pull_request-target` usage.
- **Monitoring:** Implement behavioral analysis at the package installation stage to detect post-install scripts scraping sensitive directories.