Mini Shai-Hulud: Supply Chain Malware Attack

Threat Summary

A coordinated supply chain attack—tracked as the Mini Shai-Hulud campaign and attributed to the TeamPCP threat actor—has compromised dozens of npm and PyPi packages across major projects (including TanStack, UiPath, Mistral AI, guardrails-ai, and others) using GitHub Actions cache poisoning and token exfiltration techniques. Malicious versions, published May 11–12, 2026, include Trojanized JavaScript and Python code leveraging preinstall/import hooks, Bun runtime stages, and persistence daemons (e.g., gh-token-monitor) to steal CI/CD, cloud, and developer credentials. Attacker C2 infrastructure includes custom domains. Session messaging, and GitHub repo exfiltration, with redundant failovers ensures persistence and stealth.

The attack chain began with exploitation of mutable CI workflow triggers and GitHub cache keys, allowing the deployment of poisoned dependencies that would execute malicious hooks during install or import. Victims span global software, cloud, and enterprise DevOps pipelines, with notable impact to AI, cloud security, and infrastructure projects. Organizations are advised to treat any system that installed affected package versions as fully compromised. Credential exposure, downstream re-infection risk, and—even more seriously—destructive wiper payloads (triggered on certain geo-locations or credential revocation) are known aspects of this campaign.

Initial indicators emerged May 11, 2026, with rapid security research and vendor acknowledgment within 24-48 hours. However, dozens of malicious releases were live on npm and PyPi registries for over 12–36 hours before quarantine. Large-scale credential and secret leakage, including CI/CD, cloud API keys, SSH keys, and more, is probable for any environment exposed. Threat activity remains ongoing, with threat actors pursuing credential theft and extortion/ransom strategies in some cases.

Multiple supply chains are affected: npm, PyPi, GitHub Actions, Docker, and VS Code extensions. With both Linux and macOS daemons deploying persistence and destructive options, the threat is broad, sophisticated, and likely to propagate further if not remediated. No government CERT advisories are yet available; industry and vendor postmortems are the primary authoritative guidance at this time.

Recommendations

Immediate (First 24 Hours):

• Audit and Remove Compromised Packages: Uninstall any of the affected package versions from all production, CI/CD, and developer systems. Scan all lockfiles, manifests, containers, and CI caches for traces of the compromised package versions listed.
• Rotate All Credentials: Immediately rotate all access/secret keys, tokens, passwords, and OIDC credentials present on affected systems, including cloud provider (AWS, GCP, Azure), GitHub, npm, PyPi, and SSH credentials.
• Hunt for Persistence Artifacts
  • If an infection is suspected, review your filesystem for the following artifacts:
    • Linux: ~/.config/systemd/user/gh-token-monitor.service 
    • macOS: ~/Library/LaunchAgents/com.user.gh-token-monitor.plist 
    • Look for files like router_init.js, setup.mjs, .pth Python files (LiteLLM/Telnyx), .claude/settings.json, and .vscode/tasks.json.

Short-term (Next 48 Hours):

• Patch and Update: For all affected vendors:
  • TanStack: Roll back to pre-May 11, 2026, package versions; follow TanStack’s postmortem guidance.
  • Mistral AI: Upgrade to versions after2.4 (npm) and 2.4.6 (PyPi).
  • guardrails-ai: Upgrade to at least5.10; remove 0.10.1 if present.
  • UiPath: Monitor for official patches; in the meantime, avoid @uipath/* npm packages from the compromised window.
• Rebuild and Revalidate:
  • Fully redeploy from trusted sources (e.g., source code, not artifact caches or images from compromised builds).
  • Clean or invalidate any CI artifact or dependency caches (npm, pip, Docker, etc.).
• Credential Hygiene:
  • Audit for unauthorized GitHub repository creation with descriptions such as “A Mini Shai‑Hulud has Appeared.”
  • Enforce organization-wide credential rotation and enforce MFA everywhere secrets were at risk.

Long-term / Strategic:

• Harden CI/CD Systems:
  • Consider setting a minimum release age. JavaScript package management tools such as npm, pnpm, Yarn, and Bun have recently added a minimumReleaseAge  configuration option, which set a minimum age for newly published packages. Setting this value to a day or longer makes it less likely that malicious packages will be installed.
  • Avoid using pull_request_target except where absolutely necessary; never allow untrusted PR code to manipulate shared caches.
  • Pin all GitHub Actions and workflow steps to immutable commit SHAs (never to tags or branches).
  • Segregate cache keys for trusted (merge/release) vs. untrusted (PR) workflows.
• Supply Chain Controls:
  • Implement dependency pinning and regular SCA (software composition analysis) with alerting on new, untrusted package versions.
  • Lock down workflow file access using CODEOWNERS and security policy review.
  • Use OIDC-based dynamic credentials for builds; never persist credentials on runners.
• User & EDR Training:
  • Instruct developers to inspect for .pth files or suspicious startup artifacts.
  • Deploy EDR/AV rules for artifacts (hashes, filenames, domains) listed under IOCs and monitor for anomalous install-time behavior.
• Incident Response Readiness:
  • Document recovery procedures, including environment wipes and secure re-provisioning, as malware poses destructive threats on token revocation or geo-trigger.

Temporary Workarounds

General/CI-Level Workarounds Until All Environments Are Patched:

• Disable Shared Caching in CI: Temporarily set package-manager-cache: false in actions/setup-node for npm and disable pip caching where possible; isolate or clear caches on every run.
• Pin Dependency Versions: Lock dependencies to trusted/verified versions in package-lock.json, txt, etc.
• Monitor for Preinstall Import Hooks: Block all new packages that introduce preinstall or postinstall scripts; review changes in dependency trees carefully.
• Offline/Manual Reviews: For critical builds, perform offline verification of ALL dependencies, and avoid auto-updating or unverified third-party packages.
• Persistence Clean-Up: Remove any persistence artifacts (e.g., gh-token-monitor services, .pth files) detected during audits.

Known Limitations:

• Disabling cache may slow down CI/CD pipelines.
• Pinning versions does not protect from already-compromised environments; full credential rotation is required.
• New persistence mechanisms may evade simple deletion; some artifacts may exist outside standard dependency paths.

Affected Packages:

The affected packages are listed here:

• Wiz Security Blog: Mini Shai-Hulud analysis 
• dev Tracker

References

• https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised
• https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
• https://docs.mistral.ai/resources/security-advisories
• https://labs.cloudsecurityalliance.org/research/csa-research-note-ai-ml-pypi-supply-chain-attack-teampcp-202
• https://hivesecurity.gitlab.io/blog/github-actions-cache-poisoning-supply-chain/
• https://vuldb.com/cve/CVE-2026-45321
• https://labs.cloudsecurityalliance.org/research/csa-research-note-mini-shai-hulud-multi-ecosystem-supply-cha/
• https://reddit.com/r/programming/comments/1s50g5t/teampcp_strikes_again_telnyx_4871_and_4872_on/
• https://digital.nhs.uk/cyber-alerts/2026/cc-4781
• https://github.com/actions/setup-node
• https://research.jfrog.com/post/xinference-compromise/
• https://www.deepwatch.com/labs/customer-advisory-ca-a-26-005-update-2-teampcp-supply-chain-compromise-of-checkmarx-kics-vs-code-extensions-and-broader-ecosystems/
• https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack