TeamPCP, the threat actor behind recent supply chain attacks, has been implicated in compromising npm and PyPI packages for TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a new Mini Shai-Hulud campaign.
The affected npm packages have been modified to include an obfuscated JavaScript file (‘router_init.js’) designed to profile the execution environment and launch a comprehensive credential stealer that can target cloud providers, cryptocurrency wallets, AI tools, messaging apps, and CI systems, including Github Actions. Multiple reports from Aikido Security, Endor Labs, SafeDep, Socket, StepSecurity, and Snyk show this. The data is extracted to “filev2.getsession”.[.]org” domain.
The use of session protocol infrastructure is a deliberate attempt on the attacker’s part to evade detection, as it is unlikely to be blocked within an enterprise environment, given that the domain belongs to a decentralized, privacy-focused messaging service. As a fallback option, the encrypted data is committed to an attacker-controlled repository with the author name “claude@users.noreply.github.com” via the GitHub GraphQL API using a stolen GitHub token.
The malware can also establish persistence hooks in Claude Code and Microsoft Visual Studio Code (VS Code) to survive reboots and rerun the stealer each time the IDE is started.
It also installs the gh-token-monitor service, which monitors and re-extracts GitHub tokens, and injects two malicious GitHub Actions workflows to serialize the repository secret into a JSON object and upload the data to an external server (‘api.masscan’).[.]cloud”).
Unlike previous SAP waves where compromised packages added preinstallation hooks that triggered infection sequences, the latest TanStack clusters employ a different strategy by including JavaScript files within the package tarball and adding an optional dependency pointing to a package hosted on GitHub. The GitHub dependency includes a preparation lifecycle hook that executes the JavaScript payload through the Bun runtime.
The Mistral AI package update, on the other hand, follows the previous approach, replacing the contents of the ‘package.json’ file with a pre-installation hook that calls ‘node setup.mjs’, which downloads Bun and runs the same JavaScript malware.
TanStack then tracked the compromise through a chained GitHub Actions attack that included a “pull_request_target” trigger, GitHub Actions cache poisoning, and runtime memory extraction of OIDC tokens from the GitHub Actions runner process. “No npm tokens were stolen, and the npm publishing workflow itself was not compromised,” TanStack said.
Specifically, the attackers are assessed to have staged a malicious payload via an orphaned commit to a GitHub fork, injected it into a published npm tarball, and then hijacked the project’s legitimate “TanStack/router” workflow to publish a compromised version with valid SLSA provenance.
This attack is notable for the fact that it exploits trusted publishing. This allows attacker-controlled code running within a workflow to leverage OIDC permissions to “mint” short-lived publish tokens during builds and use them to publish packages without stealing the npm token.
The worm is characterized by its ability to spread itself to other packages by setting bypass_2fa to true to find publishable npm tokens, enumerating all packages published by the same maintainer, and exchanging GitHub OIDC tokens for per-package public tokens, completely bypassing traditional authentication.
“The orphaned commit triggered further GitHub Actions workflow executions against the legitimate TanStack/Router workflow surface,” said Peyton Kennedy, a researcher at Endor Labs. “The repository’s OIDC trusted publisher configuration granted trust at the repository level, rather than being scoped to specific protected branches and workflow files, so workflow executions triggered by that commit could request a valid short-lived npm publish token.”
The TanStack supply chain breach has been assigned CVE identifier CVE-2026-45321. The CVSS score is 9.6 out of a maximum of 10.0, indicating critical severity. This incident affected 42 packages and 84 versions across the TanStack ecosystem.
“In this attack, a hijacked OIDC token was used to publish a malicious version through the project’s own GitHub Actions release pipeline,” said StepSecurity researcher Ashish Kurmi.
“In a very rare escalation, the compromised package contained a valid SLSA build level 3 certificate of origin, making it the first documented npm worm to produce a validly proven malicious package. The worm has since spread beyond TanStack to packages from UiPath, DraftLab, and other maintainers.”
Besides TanStack, the Mini Shai-Hulud campaign also spread to several other packages, including those from PyPI.
Guardrails-ai@0.10.1 (PyPI) misstralai@2.4.6 (PyPI) @opensearch-project/opensearch@3.5.3, 3.6.2, 3.7.0, and 3.8.0 @squawk/mcp@0.9.5 @squawk/weather@0.5.10 @squawk/flightplan@0.5.6 @tallyui/connector-medusa@1.0.1, 1.0.2, and 1.0.3 @tallyui/connector-vendure@1.0.1, 1.0.2, and 1.0.3
In its analysis of the malicious mistralai PyPI package, Microsoft stated that the package is designed to download a credential stealer from a remote server (‘83.142.209’).[.]This includes country-aware logic to avoid Russian-language environments and a “geofenced destructive branch that runs rm -rf / 1 in 6 if the system appears to be in Israel or Iran.”
“The guardrails-ai@0.10.1 breach is particularly noteworthy because it resulted in malicious code being executed upon import,” Socket said. “The package checks the Linux system, downloads the remote Python artifact from https://git-tanstack.com/transformers.pyz, writes it to /tmp/transformers.pyz, and runs it in python3 without integrity verification.”
“This latest activity shows that the campaign continues to spread across both npm and PyPI, with affected packages spanning search infrastructure, AI tools, aviation-related developer packages, enterprise automation, front-end tools, and CI/CD-adjacent ecosystems.”
Source link
