Mini Shai-Hulud npm Worm Hit 170+ Packages Including Mistral AI — And It Wipes Your Drive If You Revoke the Token

What Happened: 170+ Packages Poisoned in 6 Minutes

On May 11, 2026, between 19:20 and 19:26 UTC, a threat actor group called TeamPCP executed one of the largest coordinated supply chain attacks ever recorded against the JavaScript and Python ecosystems. In just six minutes, they published 404 malicious versions across more than 170 npm and PyPI packages — including some of the most downloaded packages in the entire npm registry.

The attack, dubbed Mini Shai-Hulud (named after the sandworms in Frank Herbert’s Dune), wasn’t just a simple credential stealer. It was a self-propagating worm with a built-in destructive payload: if you detected the compromise and revoked your token, the malware would attempt to wipe your entire home directory. This isn’t hypothetical. This is what the code does.

TanStack’s query-core package alone has nearly 220 million monthly downloads. Combined with react-query (212 million downloads) and virtual-core (60 million downloads), the blast radius of this supply chain attack is staggering.

How the Mini Shai-Hulud Attack Worked: GitHub Actions Cache Poisoning

This wasn’t a brute-force credential spray or a phishing campaign. TeamPCP chained together three separate GitHub Actions vulnerabilities in sequence to compromise TanStack’s entire publishing pipeline. Here’s the kill chain:

Step 1: Fork and Pull Request. The attacker forked the TanStack/router repository (renaming their fork to zblgg/configuration to evade detection in GitHub’s fork list). They then opened a pull request that triggered TanStack’s pull_request_target workflow — a well-documented dangerous pattern that runs CI/CD with the target repository’s secrets while executing the attacker’s code.

Step 2: Cache Poisoning. The workflow checked out and executed the attacker’s fork code, which poisoned the GitHub Actions cache with a malicious pnpm store. This is a devastating technique because the poisoned cache persists across future legitimate workflow runs.

Step 3: OIDC Token Extraction. The malicious code running in the workflow’s test/cleanup phase extracted the OIDC token from the GitHub Actions runner’s memory. This token, combined with TanStack’s trusted-publisher binding, gave the attacker direct publish access to the npm registry.

The commit was authored under the fabricated identity claude <claude@users.noreply.github.com> — impersonating the Anthropic Claude GitHub App — and prefixed with [skip ci] to suppress automated CI on push. A clever social engineering touch.

Who Got Hit: TanStack, Mistral AI, UiPath, OpenSearch

The scope of this attack goes far beyond TanStack. According to data from OX Security and Orca, the compromised packages include:

TanStack (42 npm packages, 84 malicious versions) — All @tanstack/* packages were hit. These are used by millions of React, Vue, and Angular developers worldwide for data fetching, state management, and virtual scrolling.

Mistral AI SDK (mistralai on both npm and PyPI) — The attacker published a fake version 2.4.6 of the official Mistral AI Python SDK. The legitimate latest version before the attack was 2.4.5. Anyone who ran pip install mistralai or had loose version pinning during the attack window got the malicious version.

UiPath (65 npm packages) — The enterprise automation platform’s npm packages were compromised, potentially affecting thousands of enterprise CI/CD pipelines.

OpenSearch (1.3M weekly npm downloads) — The OpenSearch project’s packages were also poisoned.

Guardrails AI (PyPI) — The Python package for AI safety guardrails was compromised. The irony of a safety tool being compromised is not lost on the security community.

In total, the affected packages have more than 518 million cumulative downloads, and over 400 repositories with stolen credentials have been created as part of the attack wave.

The Mini Shai-Hulud Worm Payload: Self-Propagating Credential Theft

What makes Mini Shai-Hulud particularly terrifying is that it’s not just a static payload — it’s a self-propagating worm. Once it infects a developer’s machine or CI/CD pipeline, it actively spreads to other projects.

The malware targets an extensive list of credentials and secrets:

CI/CD tokens: GitHub Actions OIDC tokens, GitLab CI tokens, CircleCI tokens. Cloud credentials: AWS IAM credentials via IMDSv2, GCP service account keys, Azure managed identity tokens. Infrastructure secrets: Kubernetes service account tokens, HashiCorp Vault secrets. Package registry tokens: npm, PyPI, and other registry authentication tokens.

Once it steals npm tokens and GitHub Actions OIDC tokens, it uses them to publish poisoned versions of additional packages the victim has write access to. This is how it spread from TanStack to UiPath to OpenSearch — each compromised developer’s credentials opened doors to more packages.

The worm also writes malicious files like .claude/settings.json and .vscode/tasks.json into the victim’s projects. Any other developer who clones or pulls that project gets infected too. This lateral movement through development teams is particularly insidious.

Data exfiltration happens over the Session protocol, an onion-routed messenger network, making traditional network monitoring useless for detection.

The Dead Man’s Switch: Revoke the Token and Lose Everything

This is the part that makes security researchers lose sleep. On developer machines, Mini Shai-Hulud installs a persistent daemon called gh-token-monitor. On macOS, it uses a LaunchAgent. On Linux, it uses systemd. The daemon polls GitHub approximately every 60 seconds.

Here’s what happens: the daemon checks whether the stolen GitHub token is still valid. The moment it receives a 40X error (indicating the token has been revoked), it triggers a destructive routine that executes rm -rf ~/ — wiping the developer’s entire home directory.

Think about that for a second. The natural response when you discover your credentials have been stolen is to revoke them immediately. Mini Shai-Hulud turns that defensive instinct into the trigger for data destruction. It’s a classic dead man’s switch: the malware stays dormant as long as the stolen credentials remain valid, but the moment you try to cut it off, it retaliates.

The daemon automatically exits after 24 hours without triggering the destructive handler, which suggests the attacker designed it primarily as a deterrent — buying themselves time to exploit the stolen credentials before victims can safely respond.

For anyone affected: do not simply revoke your tokens. First, identify and remove the gh-token-monitor process and its persistence mechanism (check ~/Library/LaunchAgents/ on macOS or ~/.config/systemd/user/ on Linux), then revoke the tokens.

How Mini Shai-Hulud Evaded Detection

In an extremely rare escalation, the compromised packages carry valid SLSA Build Level 3 provenance attestations. This makes Mini Shai-Hulud the first documented npm worm that produces validly-attested malicious packages.

SLSA (Supply-chain Levels for Software Artifacts) is supposed to be the gold standard for software supply chain security. Build Level 3 attestations prove that the package was built by a specific CI/CD pipeline, from a specific source commit, with specific build parameters. The problem is that when the attacker controls the CI/CD pipeline itself (through cache poisoning), the attestations are technically valid — they just attest to a compromised build.

This fundamentally undermines a core assumption of SLSA: that provenance attestations are trustworthy. If an attacker can compromise the build environment while keeping attestations valid, the entire verification chain becomes meaningless.

Additional evasion techniques included using the [skip ci] prefix to avoid triggering automated checks, impersonating the Claude GitHub App identity, renaming the fork repository, and using onion-routed exfiltration via the Session protocol.

Who Is TeamPCP? The Group Behind the Attacks

TeamPCP has been building toward this moment. According to StepSecurity’s attribution, the same group is responsible for compromising Aqua Security’s Trivy scanner in March 2026 and the Bitwarden CLI npm package in April 2026.

The group’s sophistication has escalated dramatically with each attack. The Trivy compromise was relatively simple compared to the multi-vector, cross-ecosystem, self-propagating worm they deployed against TanStack. They’re learning, adapting, and getting more dangerous with each iteration.

The name “Mini Shai-Hulud” — a reference to the sandworms in Dune that grow larger as they consume more spice — feels uncomfortably apt. Each successful attack feeds the next one.

How to Protect Yourself Right Now

If you use any of the affected packages, here’s what you need to do immediately:

1. Check your lockfile. Search your package-lock.json, yarn.lock, or pnpm-lock.yaml for any @tanstack/*, @uipath/*, @opensearch-project/*, or mistralai packages published between May 11-12, 2026. The Socket.dev blog has a complete list of affected versions.

2. Search for the daemon. On macOS, check ~/Library/LaunchAgents/ for anything related to gh-token-monitor. On Linux, check ~/.config/systemd/user/. Remove the daemon before revoking any tokens.

3. Check for injected files. Look for unexpected .claude/settings.json or .vscode/tasks.json files in your repositories.

4. Pin your dependencies. Use exact version pinning and review all dependency updates before merging. Tools like Socket, Snyk, and Aikido can help flag suspicious package changes.

5. Audit your GitHub Actions. If you use pull_request_target triggers, you’re vulnerable to this class of attack. Switch to pull_request where possible, and never check out untrusted code in a pull_request_target workflow.

6. Rotate all credentials. After removing the daemon, rotate every secret that was accessible from your development environment — npm tokens, cloud credentials, API keys, everything.

The Bigger Picture: npm’s Trust Model Is Broken

Mini Shai-Hulud exposed fundamental weaknesses in how the JavaScript ecosystem handles trust. The npm registry’s trusted-publisher model, GitHub Actions’ cache sharing across forks, and SLSA’s assumption that build environments are secure all failed simultaneously.

This attack had 518 million cumulative package downloads in its blast radius. It compromised packages from major companies including Mistral AI, UiPath, and the OpenSearch project. It evaded SLSA Build Level 3 attestation checks. And it included a destructive wiper payload as a deterrent against remediation.

The JavaScript supply chain has been under assault for years, from the event-stream incident to the ua-parser-js compromise. But Mini Shai-Hulud represents a new level of sophistication — a self-propagating worm that doesn’t just steal secrets but actively fights back when you try to stop it.

TanStack has published a detailed postmortem and has implemented mitigations including disabling the vulnerable workflows and requiring manual publish approval. But the underlying issues — GitHub Actions’ trust model, npm’s reliance on OIDC tokens, and the sheer scale of the dependency graph — remain unsolved.

The question isn’t whether another Mini Shai-Hulud will happen. It’s when, and how much bigger the next one will be.