Mini Shai-Hulud worm infects npm, PyPI packages, steals tokens

Security researchers attribute the Mini Shai-Hulud worm to the threat actor TeamPCP after it altered npm and PyPI packages to include an obfuscated JavaScript backdoor named router_init.js. The injected code profiles environments, harvests credentials for cloud services, cryptocurrency wallets, AI tools, messaging apps and CI systems, and sends harvested data to filev2.getsession.org.

When exfiltration to the Session Protocol domain fails, the malware encrypts collected data and commits it to attacker-controlled GitHub repositories using stolen tokens and the GraphQL API under the author address [email protected].

TanStack traced the compromise to a chained GitHub Actions attack that used the pull_request_target trigger, cache poisoning and runtime extraction of an OpenID Connect token from a runner process. Attackers staged a payload in a fork, injected it into published npm tarballs and used the project’s own TanStack/router release workflow to publish compromised versions with valid SLSA provenance. TanStack wrote that “No npm tokens were stolen, and the npm publish workflow itself was not compromised.”

The malware establishes persistence by adding hooks to Claude Code and Visual Studio Code so the stealer runs on each IDE launch. It installs a gh-token-monitor service to capture and re-exfiltrate GitHub tokens and injects malicious GitHub Actions workflows that serialize repository secrets into JSON and upload them to api.masscan.cloud.

The TanStack incident was assigned CVE-2026-45321 with a CVSS score of 9.6. Security firm StepSecurity reported the campaign affected 42 TanStack packages and 84 versions. StepSecurity researcher Ashish Kurmi described the attack as publishing malicious versions through the project’s own GitHub Actions release pipeline using hijacked OIDC tokens.

Beyond TanStack, Mini Shai-Hulud compromised packages on npm and PyPI. Affected Python packages include [email protected] and [email protected]. Multiple OpenSearch releases and packages tied to UiPath, DraftLab and other projects were also impacted.

Analysis of the malicious mistralai package found it downloads a credential stealer from 83.142.209.194. That downloader contains logic to avoid Russian-language environments and a geofenced destructive branch with about a one-in-six chance of running rm -rf / when the system appears to be in Israel or Iran.

Researchers highlighted the [email protected] compromise because its malicious code executes on import. Socket researchers reported the package checks for Linux, downloads a Python artifact from https://git-tanstack.com/transformers.pyz, writes it to /tmp/transformers.pyz and runs it with python3 without verifying integrity.

The worm can propagate inside package ecosystems by searching for a publishable npm token with bypass_2fa enabled, enumerating all packages owned by the same maintainer and exchanging a GitHub OIDC token for a per-package publish token. Security teams say this is the first documented npm worm that produced malicious packages while carrying valid SLSA Build Level 3 provenance attestations.

Vendors and researchers continue to publish indicators of compromise and remediation steps. Maintainers are advised to inspect GitHub Actions workflows, rotate tokens, review recent package versions and commits for unexpected changes, and verify provenance on published releases.