When Provenance Isn't Enough: The 'Mini Shai-Hulud' Supply-Chain Worm and What It Changes

The story of the month

The most consequential software supply-chain event of the past month wasn't a single forged signature or a lone abandoned package — it was a self-propagating worm. The "Mini Shai-Hulud" campaign, widely attributed to a group called TeamPCP, swept through the npm and PyPI ecosystems starting May 11, 2026, stealing credentials and republishing itself across hundreds of packages [1][2].

It earned headline status for three reasons. It struck marquee victims — TanStack, OpenAI, Grafana, GitHub itself, Mistral AI, UiPath and Red Hat [2][3][4][5]. It triggered a coordinated response from CISA, npm and GitHub [1][12]. And, most importantly, it defeated the industry's flagship defense — cryptographic provenance and trusted publishing — not by breaking the cryptography but by poisoning the pipeline that produces it [13][14][16].

What happened

The flagship event was the TanStack wave: TeamPCP published 84 malicious artifacts across 42 @tanstack/* packages, a library used across React, Vue and Solid with millions of weekly downloads [4][16]. The malicious window was brief — minutes — but the same day's broader campaign hit over 170 packages, with hundreds of malicious artifacts published in a roughly five-hour window, including UiPath npm packages, the OpenSearch JavaScript client, Mistral AI's SDKs and the Guardrails AI PyPI package [2][4].

The fallout cascaded for weeks. OpenAI disclosed that two employee devices were infected via TanStack and some credential material was exfiltrated from internal repositories — though no user data or production systems were affected; notably, those devices had not yet received hardened configs OpenAI was rolling out after a March incident [20][21]. Grafana automatically consumed a malicious TanStack package in its CI/CD, leaked workflow tokens, rotated them — but missed one, which attackers used to download its codebase; Grafana refused a ransom demand [9][10]. GitHub confirmed roughly 3,800 internal repositories were exfiltrated after an employee installed a trojanized Nx Console VS Code extension that sat live on the Marketplace for under 20 minutes [17][18][19].

The worm kept mutating. An AntV (Alibaba) wave used a compromised maintainer account to publish hundreds of malicious versions across 317 packages in about 20 minutes, reaching high-download dependencies like echarts-for-react [7]. A "Miasma" variant later poisoned 32 Red Hat npm packages in a 72-second automated burst [5]. By around May 20, Socket counted 1,055 malicious versions across 502 unique packages [8].

Why it matters: provenance is necessary but not sufficient

This is the central lesson. The TanStack attack chained three known weaknesses [16]. First, a pull_request_target "Pwn Request" misconfiguration that runs fork code with elevated context. Second, GitHub Actions cache poisoning across the fork-to-base trust boundary: attackers poisoned the Actions cache so that when legitimate maintainer PRs later merged, the release workflow restored the malicious cache. Third, runtime extraction of the OIDC token straight from the runner's process memory — exchanged for a signing certificate so the malicious packages carried valid SLSA provenance and shipped under a trusted identity [16].

The uncomfortable result: provenance and trusted publishing verified the malicious packages exactly as designed [13][14]. As JFrog framed it, provenance can prove where an artifact was built but not that the build workflow was clean at runtime [13]. That is the quotable thesis of the whole incident.

Two more mechanics reshape defense. The payload installs a dead man's switch — a token monitor (persisted via systemd user service on Linux or a LaunchAgent on macOS) that polls GitHub every 60 seconds; if it detects a revoked token, it runs rm -rf ~/, destroying the user's home directory [11][14]. And it is worm-like: using stolen tokens it enumerates packages the victim can publish, injects install hooks, bumps versions and republishes — even attempting to modify Claude Code's settings to reinstate itself [13][14].

What defenders should change

The single biggest reflex to invert: isolate the host and remove persistence before revoking credentials. The traditional "revoke first" instinct can trigger the destructive switch [11][14]. Beyond that, consolidated guidance from Snyk, JFrog, HeroDevs and StepSecurity points in clear directions [13][14][16]:

• Pin trusted publishing to a specific workflow and branch, not just owner/repo, and scope OIDC narrowly — id-token: none at the workflow level, granting id-token: write only on the publishing job [12][16].
• Audit pull_request_target workflows that check out fork code and write caches; separate fork-code execution from base-repo cache writes [16].
• Treat provenance and signing as necessary but not sufficient. Add behavioral analysis at install time — Snyk reports automated analysis flagged all 84 TanStack artifacts within minutes [16].
• Pin dependencies, audit lockfiles and transitive dependencies, and rotate every secret a compromised machine could touch [14].
• Monitor anomalous outbound traffic, including DNS TXT-based exfiltration used by some variants [6], and govern IDE extensions — the Nx Console breach shows the extension layer sits right next to source and secrets [17].

CISA added TanStack and Nx Console entries to its KEV catalog and urged active hunting, while npm invalidated granular access tokens and is pushing hardened trusted publishing with optional maintainer-approved staging [1][12][22].

The caveats

Attribution isn't settled. Most outlets name TeamPCP, but the Shai-Hulud source was publicly released, the group itself was reportedly hacked, and copycats — including the later "Miasma" and "Hades" variants — may be different actors [3]. Counts also vary between sources, and GitHub called TeamPCP's "~4,000 repos" claim only "directionally consistent" with its own ~3,800 figure [3][19]. The throughline survives the ambiguity: when the build pipeline is the target, a clean signature proves less than we assumed.

Sources

1. In Other News: CISA Responds to Supply Chain Attacks — SecurityWeek
2. TanStack, Mistral AI, UiPath Hit in Fresh Supply Chain Attack — SecurityWeek
3. Hackers have compromised dozens of popular open source packages in an ongoing supply chain attack — TechCrunch
4. Mistral AI SDK, TanStack Router hit in npm software supply chain attack — CSO Online
5. Supply Chain Attack Hits 32 Red Hat NPM Packages — SecurityWeek
6. Expired domain leads to supply chain attack on node-ipc npm package — CSO Online
7. AntV data visualization tool the latest to be hit by ongoing npm supply chain attacks — InfoWorld
8. Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks — SecurityWeek
9. Grafana Labs Says Code Breach Stemmed from TanStack Attack — Infosecurity Magazine
10. Grafana Says Codebase and Other Data Stolen via TanStack Supply Chain Attack — SecurityWeek
11. Dead Man's Switch in npm Malware — Penligent
12. Trusted publishing for npm packages — npm Docs
13. Shai-Hulud: Here We Go Again — Worm by TeamPCP Hits NPM and PyPI — JFrog Security Research
14. Mini Shai-Hulud: Another npm Supply Chain Worm, and Why "Just Update" Isn't the Answer — HeroDevs
15. TanStack npm Packages Hit by Mini Shai-Hulud — Snyk
16. GitHub Internal Repositories Breached via Compromised Nx Console VS Code Extension — Rescana
17. VS Code Extension Breach Exposes 3,800 GitHub Repositories — Let's Data Science
18. GitHub confirms breach of 3,800 repos via malicious VSCode extension — BleepingComputer
19. OpenAI Hit by TanStack Supply Chain Attack — SecurityWeek
20. OpenAI says hackers stole some data after latest code security issue — TechCrunch
21. CISA chief frets about open-source vulnerabilities, delayed security improvements — CyberScoop