Shai Hulud’s attack ships signed TanStack malicious packages, Mistral npm

Hundreds of packages across npm and PyPI have been compromised in a new Shai-Hulud supply-chain campaign that delivers evidence-stealing malware targeting developers.

Attacker stole valid OpenID Connect (OIDC) tokens to publish malicious package versions with valid local credentials (SLSA Build Level 3)

Conceived by the threat group TeamPCP, the attack started by compromising a number of TanStack and Mistral AI packages but quickly expanded to other popular projects, such as Guardrails AI, UiPath, and OpenSearch.

The Shai-Hulud campaign appeared last September and had many iterations [1, 2, 3]some of them expose hundreds of thousands of developer secrets in automatically generated GitHub repositories. Among the recently compromised projects are the Bitwarden CLI package and the official SAP packages.

The latest wave of attacks occurred yesterday when a threat actor published multiple malicious packages to TanStack namespaces in Node Package Manager (npm), then spread to other projects using stolen CI/CD credentials.

Application security company StepSecurity notes that the threat actor published infected packages through a legitimate CI/CD pipeline, carrying SLSA credentials issued by the npm signing infrastructure and “bound to legitimate. TanStack/router Release the workflow.”

Endor Labs reports more than 160 corrupted packages to npm, Aikido recorded 373 malicious package version entries, and Socket tracked vulnerable package artifacts across npm and the Python Package Index (PyPI).

According to a TanStack post-mortem report from TanStack, the attackers tied three vulnerabilities: a malicious ‘pull_request-target’ workflow, GitHub Actions cache poisoning, and theft of OIDC tokens from the runner’s memory.

The attackers published 84 malicious versions of all 42 TanStack packages that had a valid name, valid Sigstore credentials, and valid GitHub Actions signatures.

From the developer’s point of view, the packages appeared to be anonymously authentic, and there was no indication of compromise.

Endor Labs highlights a clever Git trick where attackers compromised an orphan commit pushed to a fork of the TanStack/router repository, making it accessible via GitHub’s shared fork object storage even though it didn’t belong to any branch.

The vulnerability was targeted by an optional malicious dependency, which caused npm to automatically download and execute attacker-controlled code during package installation.

The malware targeted developer secrets, including:

• GitHub Actions OIDC and PAT tokens
• Git credentials
• npm publish tokens
• AWS Privacy Manager, IAM, and ESC job details
• Kubernetes service account tokens and cluster credentials
• HashiCorp Vault Tokens
• SSH keys
• Claude Code prepares
• VS Code functions
• .env files

StepSecurity says the payload reads the GitHub Actions process memory to gather information on the paths of more than 100 files associated with cloud providers, cryptocurrency tokens, and messaging apps.

To extract sensitive information, the malware used the Session P2P network, making it appear as encrypted message traffic and making it difficult to detect, block, and take down attempts.

Once the infection has occurred, the malware writes itself into the Claude Code hook and VS Code auto-run functions, so uninstalling the malicious packages doesn’t remove it.

The method of self-distribution remains largely unchanged from previous waves: it uses stolen GitHub/npm credentials, enumerates packages linked to a vulnerable host, modifies tarballs to inject the payload, and republishes malicious versions.

According to supply chain security platform SafeDep, although the implementation method is different from the vulnerable Mistral AI and TanStack packages, it reduces the same burden of credential theft.

Microsoft Threat Intelligence analyzed the payload delivered by the malicious Mistral AI package to PyPI. The actor named it ‘transformers.pyz’, which may be an imitation of Hugging Face’s open source Python Transformers library used to access pre-trained natural language processing models.

Researchers say payloads slow down malware that steals information from Linux systems. The hacker includes basic geofencing logic, specifically to avoid being used on hosts where Russian language settings are detected.

A second damaging process also exists. For sites that appear to originate from Israel or Iran, the malware presents a potentially destructive method with a 1-in-6 chance of executing the repeat wipe command (rm -rf/).

The behavior is similar to the CanisterWorm campaign that TeamPCP used in March and targeted Kubernetes platforms. If CanisterWorm lived on a machine with the same Iran time zone and locations, it could wipe it.

Lists of compromised packages are available in reports from various security vendors [1, 2, 3, 4, 5]and it is recommended that you check all resources to get a complete view of the impact.

Developers who downloaded the affected version of the package should assume that the information has been exposed. The researchers recommend that security teams do the following:

• check the affected package versions
• check persistence on developer machines
• rotate all credentials (GitHub tokens, npm tokens, AWS credentials, Vault tokens, Kubernetes service accounts, and CI/CD secrets)
• check IDE directories for malicious files still present in npm installation (eg router_runtime.js or setup.mjs)
• block the threat actor’s command and control infrastructure (api.masscan.cloud, git-tanstack.com, and *.getsession.org) at the DNS or proxy level

Snyk researchers say that since “the attack produces valid SLSA Build Level 3 evidence for malicious packages,” it is necessary to verify the appearance and add a layer of behavioral analysis during installation, as well as a signature-based check for malicious packages.

In the long run, to reduce the risk of similar attacks, consider using only the lock file installation, which should prevent automatic/silent package updates.

UPDATE [08:36 EST]: Additional information from Microsoft Threat Intelligence’s analysis of the payload delivered by the vulnerable Mistral AI package.