Threat Advisories:
Mini Shai-Hulud npm Supply Chain Worm: TanStack and Multi-Ecosystem Compromise Malicious Ruby Gems Fuel GemStuffer Data Theft Campaign Microsoft’s May 2026 Patch Tuesday PCPJack Hijacks Vulnerable Servers With Worm-Like Cloud Propagation Tactics QLNX Unmasked: Advanced Linux Malware Targets Developers and Cloud Infrastructure Dirty Frag A 2017 Optimization That Aged Into a Root Exploit TCLBanker: Trojanized Logitech Installer Fuels Banking Malware Campaign Ivanti EPMM Flaws Threaten Enterprise Device Management Systems Is Your Spring Config Server an Open Door? CVE-2026-40982 Says Yes PAN-OS Buffer Overflow Flaw Under Active State-Sponsored Exploitation Unauthenticated RCE in Weaver E-cology Actively Exploited Tax Trap to Full Takeover: Inside the Silver Fox Multi-Stage Intrusion Chain One Script, Every Distro, Full Root: Copy Fail Vulnerability Rewriting Linux Threat Models CVE-2026-42208: The LiteLLM Flaw Letting Attackers Reach Deep Inside VECT Ransomware: Flawed Encryption Turns RaaS Locker into Irreversible File Wiper Operation TrustTrap: APT36 Weaponizes 16,800 Spoofed Domains Patched but Not Cured: FIRESTARTER Backdoor Survives Cisco Firewall Upgrades The Gentlemen Ransomware: A Rapidly Scaling RaaS Threat Tropic Trooper Shifts Tradecraft to Open-Source Offensive Frameworks UNC6692 Social Engineering Campaign Deploying SNOW Malware Suite
New Report Critical Threat Research : The Iranian Cyber War Intensifies! Download the Report
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Learning Center
Podcasts
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoFree Iranian Exposure Assessment
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Learning Center
Podcasts
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoFree Iranian Exposure Assessment

Mini Shai-Hulud npm Supply Chain Worm: TanStack and Multi-Ecosystem Compromise

Red | Attack Report
Download PDF

Summary

The Mini Shai-Hulud worm represents a sophisticated supply chain attack orchestrated by the TeamPCP threat group (also tracked as PCPcat, ShellForce, DeadCatx3, CipherForce, Persy_PCP, UNC6780) targeting the npm and PyPI software ecosystems. First observed on May 11, 2026, this coordinated supply chain attack compromised 84 malicious versions across 42 TanStack npm packages, along with packages in the @uipath, @mistralai, @squawk, and @opensearch-project namespaces, plus PyPI’s guardrails-ai and mistralai packages, affecting over 170 packages total. With @tanstack/react-router receiving approximately 12 million weekly downloads, the Mini Shai-Hulud worm blast radius represents a significant software supply chain security incident.

The Mini Shai-Hulud attack targets global software development, enterprise automation, artificial intelligence, cloud computing, and CI/CD pipeline environments, while specifically excluding systems configured with Russian language locale. The Mini Shai-Hulud worm leverages a chained exploitation of GitHub Actions misconfigurations, including the pull_request_target “Pwn Request” pattern, CI cache poisoning across fork-to-base trust boundaries, and OIDC token extraction from GitHub runner process memory to publish malicious npm package versions.

The Mini Shai-Hulud malware harvests credentials from cloud providers including AWS, GCP, and Azure, CI/CD systems, Kubernetes environments, HashiCorp Vault, GitHub, npm, and developer SSH keys. The worm exfiltrates stolen data through multiple redundant command-and-control channels including typosquatted domains, Session messenger peer-to-peer networks, and GitHub dead drop repositories. The Mini Shai-Hulud worm demonstrates self-propagation capabilities by republishing infected versions of other npm packages the compromised victim maintains, enabling lateral spread across the software supply chain.

Attack Details

TanStack Supply Chain Compromise and TeamPCP Attribution

On May 11, 2026, a coordinated Mini Shai-Hulud supply chain attack compromised 84 malicious versions across 42 @tanstack/* npm packages along with packages in the @uipath, @mistralai, @squawk, and @opensearch-project namespaces, plus PyPI’s guardrails-ai and mistralai packages, affecting over 170 total packages in the software supply chain. With @tanstack/react-router receiving approximately 12 million weekly npm downloads, the Mini Shai-Hulud worm blast radius represents significant exposure across the JavaScript development ecosystem.

Security researchers assess with high confidence that the Mini Shai-Hulud campaign is operated by the TeamPCP threat group, also tracked as DeadCatx3, PCPcat, ShellForce, and CipherForce, a financially motivated cybercriminal group that rose to prominence in late 2025. The Mini Shai-Hulud attribution to TeamPCP is supported by shared toolchain artifacts including a verbatim ctf-scramble-v2 Fisher-Yates PRNG seeded with 0x3039 across Bitwarden CLI, SAP, and TanStack payloads, identical command-and-control infrastructure, the malware’s Russian-language locale check where the payload terminates without exfiltrating if the system language is Russian, and TeamPCP’s public claim of responsibility for the Mini Shai-Hulud operation.

GitHub Actions Pwn Request and CI Cache Poisoning Attack Chain

The Mini Shai-Hulud attack chain began on May 10, 2026 with a renamed fork of TanStack/router (zblgg/configuration) containing a malicious commit under a fabricated identity. A pull request opened the next day triggered bundle-size.yml, which used the pull_request_target “Pwn Request” pattern, executing fork-controlled malicious code in the trusted base repository context. That Mini Shai-Hulud execution wrote a poisoned 1.1 GB pnpm-store entry into the GitHub Actions cache, keyed so release.yml would later restore it on the next push to the main branch. The malicious pull request was then force-pushed to a no-operation state and closed to hide evidence of the Mini Shai-Hulud compromise.

Detonation of the Mini Shai-Hulud payload occurred when unrelated TanStack maintainer merges triggered release.yml. The poisoned GitHub Actions cache restored, and attacker binaries read /proc/<pid>/mem of the Runner.Worker process to extract the OIDC token minted for npm trusted publishing. The Mini Shai-Hulud malware then POSTed publishes directly to registry.npmjs.org, producing npm tarballs with valid SLSA Build Level 3 provenance attestation. This is significant because SLSA provenance attests which pipeline produced the artifact, not whether the pipeline was behaving as intended, meaning a compromised build step produces a validly-attested but malicious package, rendering provenance-based supply chain defenses ineffective against this class of attack.

Mini Shai-Hulud Credential Stealing and Self-Propagation Worm Capabilities

The downstream Mini Shai-Hulud payload is a credential stealer and self-propagating worm, exfiltrating cloud credentials from AWS, GCP, and Azure, Kubernetes service account tokens, HashiCorp Vault tokens, GitHub personal access tokens, npm publish tokens, and SSH private keys over triple-redundant command-and-control channels including typosquatted domains, Session messenger peer-to-peer networks, and GitHub dead drop repositories. The Mini Shai-Hulud worm republishes other npm packages each victim maintains, driving lateral spread across the software supply chain.

The PyPI variant of Mini Shai-Hulud affecting guardrails-ai and mistralai packages operates differently from the npm version, using a lightweight 13-line loader that fetches a remote payload. This PyPI Mini Shai-Hulud variant targets password vaults including 1Password and Bitwarden for the first time, and carries a destructive wiper component targeting systems with Israeli or Iranian locale settings. Detection of the Mini Shai-Hulud compromise occurred approximately 20 minutes after the first malicious publish, but malicious tarballs remained installable for hours due to npm’s “no unpublish if dependents exist” policy, meaning the actual exposure window extends well beyond detection.

Destructive Capabilities and Persistence Mechanisms

Critically, the Mini Shai-Hulud payload installs a gh-token-monitor daemon that runs rm -rf ~/ upon detecting GitHub token revocation, functioning as a dead man’s switch to destroy data on compromised developer machines. Additionally, the Mini Shai-Hulud malware persists into .claude/ and .vscode/ directories as router_runtime.js or setup.mjs files, which survive npm uninstall commands, so package removal alone is not sufficient remediation for Mini Shai-Hulud infections.

Responders must isolate or forensically image affected hosts, remove both the gh-token-monitor daemon and IDE persistence artifacts, and only then rotate credentials, because remediation attempts that trigger the dead man’s switch cause data destruction. The Mini Shai-Hulud operation demonstrates exceptional sophistication in both technical capabilities and operational security, representing an evolution in software supply chain attacks.

Recommendations

Disable gh-token-monitor Before Credential Rotation

Before rotating any GitHub tokens on potentially compromised systems, search all affected developer machines and CI runners for the Mini Shai-Hulud gh-token-monitor daemon files located at ~/.config/systemd/user/gh-token-monitor.service on Linux systems and ~/Library/LaunchAgents/com.user.gh-token-monitor.plist on macOS systems, and remove them. The Mini Shai-Hulud malware dead man’s switch triggers a destructive home directory wipe (rm -rf ~/) upon detecting token revocation, so persistence removal must precede credential rotation to prevent data destruction.

Monitor for Mini Shai-Hulud Self-Propagation Indicators

Watch npm publish logs for unexpected version bumps of exactly +3 patches with no corresponding changelog entry. This version bump pattern is the fingerprint of the Mini Shai-Hulud worm’s automated propagation mechanism and indicates an infected package has been used to compromise additional packages in the software supply chain.

Pin GitHub Actions to Commit SHAs

Replace all tag-based GitHub Actions references (e.g., actions/checkout@v6.0.2) with full commit SHA pins to prevent tag retargeting attacks, which carry the same supply chain compromise blast radius as CI cache poisoning exploited by Mini Shai-Hulud.

Rotate All Credentials on Mini Shai-Hulud Exposed Hosts

If any affected Mini Shai-Hulud package version was installed on a machine or CI runner, rotate AWS access keys, GCP service account keys, Azure service principals, HashiCorp Vault tokens, Kubernetes service account tokens, GitHub personal access tokens, npm publish tokens, and SSH private keys. For GitHub Actions environments specifically, assume all repository, organization, and environment secrets were extracted from runner memory regardless of workflow configuration, as the Mini Shai-Hulud malware reads process memory to steal OIDC tokens.

Block Mini Shai-Hulud C2 Infrastructure at Network Perimeter

Block outbound connections to git-tanstack[.]com, api.masscan[.]cloud, and .getsession.org domains including filev2.getsession.org, seed1.getsession.org, seed2.getsession.org, and seed3.getsession.org at the DNS and proxy level. Also block IP address 83.142.209[.]194 used by the Python variant’s credential stealer component of Mini Shai-Hulud.

Audit GitHub Repositories for Mini Shai-Hulud Injected Workflows

Search all organizational repositories for GitHub Actions workflows containing api.masscan[.]cloud, commits authored by “claude <claude@users.noreply.github.com>” with the message “chore: update dependencies” that add .claude/ or .vscode/ directories, and newly created repositories matching Dune-themed naming patterns such as sardaukar-ornithopter-42, which are indicators of Mini Shai-Hulud compromise.

Pin Dependencies and Disable Lifecycle Scripts

Pin all @tanstack/* dependencies to the last confirmed clean versions (the x.x.65 releases) using lockfiles until the TanStack team publishes verified clean releases. Run npm install with –ignore-scripts flag in CI pipelines that do not require lifecycle script execution to prevent Mini Shai-Hulud payload detonation during package installation.

Remove pull_request_target Workflows or Restrict Scope

Audit all GitHub Actions workflow files across organizational repositories for the pull_request_target trigger event. Workflows using this trigger must never check out or execute code from the pull request head to prevent Mini Shai-Hulud style attacks. If base repository permissions are needed to react to a pull request, use the workflow_run pattern against artifacts from a sandboxed pull_request job, as recommended by GitHub’s security team.

MITRE ATT&CK TTPs

Initial Access: T1195.002 (Compromise Software Supply Chain), T1195.001 (Compromise Software Dependencies and Development Tools)

Execution: T1204.002 (Malicious File), T1059.007 (JavaScript), T1059.006 (Python)

Persistence: T1543.001 (Launch Agent), T1543.002 (Systemd Service), T1546 (Event Triggered Execution)

Defense Evasion: T1027 (Obfuscated Files or Information), T1036.005 (Match Legitimate Name or Location)

Credential Access: T1552.001 (Credentials In Files), T1552.005 (Cloud Instance Metadata API), T1528 (Steal Application Access Token)

Discovery: T1526 (Cloud Service Discovery)

Collection: T1005 (Data from Local System)

Exfiltration: T1567.001 (Exfiltration to Code Repository), T1041 (Exfiltration Over C2 Channel)

Impact: T1485 (Data Destruction)

Lateral Movement: T1072 (Software Deployment Tools)

Indicators of Compromise (IoCs)

Malicious Domains: git-tanstack[.]com, api.masscan[.]cloud

Command-and-Control URLs: hxxp[:]//git-tanstack[.]com[:]443/router, hxxp[:]//api[.]masscan[.]cloud/v2/upload, hxxp[:]//litter[.]catbox[.]moe/h8nc9u[.]js, hxxp[:]//litter[.]catbox[.]moe/7rrc6l[.]mjs, hxxp[:]//83[.]142[.]209[.]194/v1/weights

IP Address: 83[.]142[.]209[.]194

Session Messenger Nodes: seed1[.]getsession[.]org, seed2[.]getsession[.]org, seed3[.]getsession[.]org, filev2[.]getsession[.]org

Session Recipient ID: 05f9e609d79eed391015e11380dee4b5c9ead0b6e2e7f0134e6e51767a87323026

Malicious Git Dependency: github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c

Attacker GitHub Accounts: zblgg (ID: 127806521), voicproducoes (ID: 269549300)

Forged Commit Identity: claude <claude@users.noreply.github.com>

Malicious File Paths: /tmp/tmp.ts018051808.lock, ~/.config/systemd/user/gh-token-monitor.service, ~/Library/LaunchAgents/com.user.gh-token-monitor.plist

Commit Message Marker: IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner

GitHub Actions Cache Key: Linux-pnpm-store6f9233a50def742c09fde54f56553d6b449a535adf87d4083690539f49ae4da11

References

TanStack – Incident Follow-up Blog

TanStack – npm Supply Chain Compromise Postmortem

Wiz Security – Mini Shai-Hulud Strikes Again: TanStack & More npm Packages Compromised

Upwind – Shai-Hulud TanStack Supply Chain Worm Analysis

HivePro – TeamPCP Automated Supply Chain from Trivy to LiteLLM Multi-Ecosystem Breach

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox