Verify a decision

{"actor":"system:backfill","investigation_id":"75887401-75e8-4702-95f0-4eb72b395097","kind":"publish","page_slug":"tanstack-npm-supply-chain-attack-mini-shai-hulud-teampcp","published_at":"2026-06-16T12:06:26.483Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"TanStack npm Supply Chain Attack (Mini Shai-Hulud / TeamPCP)","sections":[{"content":"The TanStack npm supply chain attack of May 2026 is among the largest recorded compromises of the npm package registry. The attack targeted the @tanstack/router ecosystem, a widely used JavaScript routing library suite for React, Vue, and Solid frameworks. CVE-2026-45321 (GHSA-g7cv-rxg3-hmpx, CVSS 9.6 Critical) was assigned to document the incident. A total of 84 malicious versions across 42 @tanstack/* packages were published within a six-minute window on May 11, 2026. The @tanstack/react-router package alone reported approximately 12.7 million weekly downloads at the time of the attack. Unaffected namespaces included @tanstack/query, @tanstack/table, @tanstack/form, @tanstack/virtual, and @tanstack/store. All 84 malicious versions were deprecated and removed from the npm registry by 23:55 UTC on May 11, 2026, approximately four and a half hours after initial publication.","heading":"Overview and Scope","severity":"critical","sources":[{"credibility":1,"name":"TanStack Blog: Postmortem — npm supply-chain compromise","type":"official","url":"https://tanstack.com/blog/npm-supply-chain-compromise-postmortem"},{"credibility":2,"name":"Snyk: TanStack npm Packages Hit by Mini Shai-Hulud","type":"research","url":"https://snyk.io/blog/tanstack-npm-packages-compromised/"},{"credibility":1,"name":"CVE-2026-45321 advisory (GitLab advisories mirror)","type":"regulatory","url":"https://advisories.gitlab.com/npm/@tanstack/react-router-ssr-query/CVE-2026-45321/"}]},{"content":"TeamPCP (also known by the aliases DeadCatx3, PCPcat, ShellForce, and CipherForce) is a threat group that has focused on software supply chain attacks since at least 2024. The group's campaign is self-designated 'Mini Shai-Hulud', a reference to the sandworm creature in Frank Herbert's Dune science fiction series. Dead-drop branch names used throughout the campaign are drawn exclusively from Dune terminology (atreides, melange, sandworm, harkonnen, fremen, sardaukar), suggesting either cultural preference or deliberate misdirection. StepSecurity first attributed the TanStack attack to TeamPCP. Unit 42 (Palo Alto Networks) separately documented a claimed partnership between TeamPCP and Vect ransomware operators, announced via BreachForums. The TanStack attack represents the fourth documented wave of the Mini Shai-Hulud campaign. Prior waves include: Wave 1 (September 2025, 500+ packages), Wave 2 (November 2025, 492 packages affecting 700+ repositories), Wave 3 (April 2026, targeting SAP and Intercom ecosystems). The May 2026 TanStack incident is described as Wave 4. Separately, TeamPCP is attributed with compromising Aqua Security's Trivy vulnerability scanner in March 2026, followed by a breach of Checkmarx infrastructure, and the Bitwarden CLI npm package (version 2026.4.0) on April 22, 2026. The Bitwarden payload contained the string 'Shai-Hulud: The Third Coming', linking it explicitly to the campaign. No confirmed geographic origin or state-level affiliation has been established in public reporting.","heading":"Threat Actor: TeamPCP and the Mini Shai-Hulud Campaign","severity":"critical","sources":[{"credibility":2,"name":"StepSecurity: TeamPCP's Mini Shai-Hulud Is Back","type":"research","url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"},{"credibility":2,"name":"HackRead: TeamPCP Used Mini Shai-Hulud Worm to Poison Over 400 npm and PyPI Packages","type":"news_article","url":"https://hackread.com/teampcp-mini-shai-hulud-worm-npm-pypi-packages/"},{"credibility":1,"name":"SecurityWeek: Bitwarden NPM Package Hit in Supply Chain Attack","type":"news_article","url":"https://www.securityweek.com/bitwarden-npm-package-hit-in-supply-chain-attack/"},{"credibility":2,"name":"SOCRadar: Bitwarden CLI Hijacked in npm Supply Chain Attack Linked to TeamPCP","type":"research","url":"https://socradar.io/blog/bitwarden-cli-hijacked-npm-supply-chain-teampcp/"},{"credibility":1,"name":"Unit 42 (Palo Alto Networks): The npm Threat Landscape","type":"research","url":"https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/"}]},{"content":"The TanStack attack chained three distinct vulnerabilities in GitHub's CI/CD infrastructure to achieve unauthorized npm publishing without direct access to any npm token or repository secret.\n\n1. Pwn Request via pull_request_target: On May 10, 2026 at 17:16 UTC, an attacker controlled GitHub account created a fork of the TanStack router repository (github.com/zblgg/configuration) and added a malicious commit (65bf499d16a5e8d25ba95d69ec9790a6dd4a1f14) containing an approximately 30,000-line obfuscated JavaScript payload injected into packages/history/vite_setup.mjs. PR #7378 was opened against the TanStack/router main branch at approximately 10:49 UTC on May 11. Repository workflows using the pull_request_target trigger executed fork-controlled code with the base repository's security context and access to cache scopes, without any first-time contributor approval gate.\n\n2. GitHub Actions Cache Poisoning: The malicious vite_setup.mjs wrote to the GitHub Actions cache using a pre-computed key matching the lookup pattern used by the legitimate release.yml workflow. A 1.1 GB poisoned pnpm package store was saved to the cache at approximately 11:29 UTC, persisting across the fork-to-base trust boundary. When the production release workflow ran hours later, it retrieved the poisoned cache entry.\n\n3. OIDC Token Extraction from Runner Memory: The attacker-controlled payload enumerated running processes via /proc/*/cmdline, then used /proc/[pid]/maps and /proc/[pid]/mem to perform direct memory reads of the GitHub Actions Runner.Worker process. This extracted a live OIDC (OpenID Connect) token that was then used to authenticate directly to the npm registry using npm's OIDC publish mechanism, bypassing the standard workflow publishing step entirely.\n\nA critical consequence of this method is that the malicious packages received valid SLSA Build Level 3 provenance attestations signed by Sigstore. This is the first documented instance of an npm worm producing validly-attested malicious packages. The SLSA attestations accurately recorded that the packages were built by release.yml on refs/heads/main — technically true, since the exploit occurred within that legitimate workflow execution. The vulnerable OIDC configuration pinned only the repository, not the specific workflow file or branch, a gap that a hardened configuration would close.","heading":"Attack Mechanism: Three-Chain GitHub Actions Exploit","severity":"critical","sources":[{"credibility":1,"name":"TanStack Blog: Postmortem — npm supply-chain compromise","type":"official","url":"https://tanstack.com/blog/npm-supply-chain-compromise-postmortem"},{"credibility":2,"name":"Snyk: TanStack npm Packages Hit by Mini Shai-Hulud","type":"research","url":"https://snyk.io/blog/tanstack-npm-packages-compromised/"},{"credibility":2,"name":"Strobes: TanStack npm Supply Chain Attack 2026","type":"research","url":"https://strobes.co/blog/tanstack-npm-supply-chain-attack/"},{"credibility":2,"name":"Rescana: TanStack npm Supply Chain Attack — Detailed Analysis","type":"research","url":"https://www.rescana.com/post/tanstack-npm-supply-chain-attack-detailed-analysis-of-the-may-2026-github-actions-breach-and-multi-ecosystem-impact"}]},{"content":"The malicious payload, router_init.js, was approximately 2.3 MB in size and employed three layers of obfuscation: a JavaScript Obfuscator pattern, a Fisher-Yates substitution cipher (PBKDF2-SHA256, 200,000 iterations), and 11 AES-256-GCM encrypted payloads. The campaign identifier embedded in the payload was 'EveryBoiWeBuildIsAWormyBoi'. The SHA-256 hash of the payload is ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c.\n\nUpon execution (triggered at npm install time), the payload forked a detached child process with suppressed stdio — allowing the parent process to exit cleanly — and then performed systematic credential harvesting across multiple target categories:\n\n- GitHub tokens (GITHUB_REPOSITORY, ACTIONS_ID_TOKEN_REQUEST_TOKEN, REST API secrets enumeration)\n- AWS credentials via IMDSv2, Secrets Manager, and SSM Parameter Store\n- Google Cloud Platform metadata (100+ credential file paths enumerated)\n- HashiCorp Vault tokens with multi-region enumeration\n- Kubernetes service account tokens and integrated Vault credentials\n- npm tokens from ~/.npmrc\n- SSH private keys\n- Shell history files\n- Claude Code session files (~/.claude/projects/*.jsonl)\n\nCryptocurrency wallet files were also targeted, including Bitcoin wallet.dat files (~/.bitcoin/wallet.dat), Ethereum keystores (~/.ethereum/keystore/*), Monero, Zcash, and commercial wallet applications (Exodus, Electrum, Atomic Wallet). No public evidence of confirmed cryptocurrency funds being drained has been reported as of the time of this investigation, though the infrastructure to exfiltrate wallet files was confirmed active.\n\nExfiltration occurred via two channels: the Session decentralized messenger P2P network (filev2.getsession.org, seed1/2/3.getsession.org) with RSA-4096-OAEP wrapping, and GitHub 'dead drop' repositories where data was committed using the identity claude@users.noreply.github.com with Dune-themed branch names. A recovery mechanism scanned GitHub for commits containing the string 'OhNoWhatsGoingOnWithGitHub' to retrieve tokens deposited by other victims.\n\nThe payload established persistence that survived npm package uninstallation through multiple vectors: Claude Code IDE hooks (.claude/router_runtime.js, .claude/settings.json, .claude/setup.mjs), VS Code workspace files (.vscode/setup.mjs, .vscode/tasks.json), a systemd service on Linux (gh-token-monitor), and a LaunchAgent on macOS (com.user.gh-token-monitor.plist). A destructive dead-man's switch polled GitHub token validity every 60 seconds; if the token was revoked (HTTP 40x response), the payload executed rm -rf ~/ to wipe the user's home directory. Security researchers warned that credentials should not be revoked from an affected machine before the dead-man's switch process was disabled.","heading":"Malware Payload: router_init.js","severity":"critical","sources":[{"credibility":2,"name":"Snyk: TanStack npm Packages Hit by Mini Shai-Hulud","type":"research","url":"https://snyk.io/blog/tanstack-npm-packages-compromised/"},{"credibility":2,"name":"StepSecurity: TeamPCP's Mini Shai-Hulud Is Back","type":"research","url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"},{"credibility":2,"name":"Strobes: TanStack npm Supply Chain Attack 2026","type":"research","url":"https://strobes.co/blog/tanstack-npm-supply-chain-attack/"}]},{"content":"After harvesting npm tokens from an initial victim, the worm autonomously enumerated all npm packages accessible to each stolen token, evaluated their publish permissions, and published infected patch-version increments directly to the registry using HTTP PUT requests — without triggering any workflow-based publish guard. This worm propagation mechanism enabled the attack to spread far beyond the TanStack packages within a single day.\n\nBy end of day on May 11, 2026, the same threat actor had compromised over 170 npm packages and 2 PyPI packages. Confirmed secondary victims included: Mistral AI (@mistralai/mistralai versions 2.2.2–2.2.4), UiPath (65+ packages), OpenSearch, Guardrails AI (guardrails-ai 0.10.1 on PyPI), and a cluster of aviation tooling packages under the @squawk and @draftlab namespaces. In total, the Orca Security analysis counted 373 malicious package-version entries spanning 169 npm packages and 2 PyPI packages by the end of Wave 4.\n\nOn May 19, 2026, an additional wave compromised the @antv data visualization ecosystem (AntV). More than 300 malicious package versions across 323 packages were published in a 22-minute automated burst via a compromised npm maintainer account. This wave affected packages including @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, and echarts-for-react (approximately 1.1 million weekly downloads). Microsoft's security blog confirmed this wave.\n\nOn June 1, 2026, a further wave compromised 96 versions across 32 packages in the @redhat-cloud-services npm namespace. A Red Hat employee GitHub account was compromised and used to push malicious orphan commits to RedHatInsights repositories, bypassing standard code review. The affected packages had approximately 80,000 weekly downloads according to reporting in The Register.\n\nPhoenix Security's aggregate tracking documented over 600 packages and 2,500+ compromised GitHub repositories across the full campaign as of early June 2026.","heading":"Self-Propagation and Broader Campaign Impact","severity":"critical","sources":[{"credibility":2,"name":"Orca Security: TanStack and 160+ npm/PyPI Packages Compromised in Supply Chain Worm Attack","type":"research","url":"https://orca.security/resources/blog/tanstack-npm-supply-chain-worm/"},{"credibility":1,"name":"Microsoft Security Blog: Mini Shai-Hulud — Compromised @antv npm packages enable CI/CD credential theft","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/"},{"credibility":1,"name":"The Register: Shai-Hulud malware worms Red Hat npm package versions downloaded 80K times a week","type":"news_article","url":"https://www.theregister.com/security/2026/06/01/shai-hulud-malware-infects-red-hat-npm-packages-downloaded-80k-times-weekly/5249803"},{"credibility":1,"name":"Help Net Security: Red Hat npm packages compromised in new Mini Shai-Hulud malware wave","type":"news_article","url":"https://www.helpnetsecurity.com/2026/06/02/red-hat-npm-packages-compromised-mini-shai-hulud/"},{"credibility":2,"name":"Snyk: Mini Shai-Hulud Hits AntV — 300+ Malicious npm Packages Published","type":"research","url":"https://snyk.io/blog/mini-shai-hulud-antv-npm-supply-chain-attack/"},{"credibility":2,"name":"Phoenix Security: TeamPCP / Mini Shai-Hulud npm Campaign","type":"research","url":"https://phoenix.security/teampcp-mini-shai-hulud-npm-atool-maintainer-compromise-2026/"},{"credibility":2,"name":"SafeDep: Mass Supply Chain Attack Hits TanStack, Mistral AI npm and PyPI Packages","type":"research","url":"https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral/"}]},{"content":"OpenAI disclosed that two employee devices in their corporate environment were affected by the compromised TanStack packages. OpenAI stated that those devices lacked updated security configurations that would have prevented the malicious package download. The company confirmed no evidence that end user data or production systems were compromised. OpenAI described the incident as evidence of attackers 'increasingly targeting shared software dependencies and development tooling rather than any single company.'\n\nBitwarden confirmed its CLI package (version 2026.4.0) was trojanized for approximately 90 minutes on April 22, 2026. Bitwarden stated that no end-user vault data was accessed or put at risk, and that no production data or production systems were compromised.\n\nTeamPCP's earlier compromise of Aqua Security's Trivy scanner in March 2026, followed by the Checkmarx KICS GitHub Action compromise on March 23, 2026, allegedly led to a data breach at the European Commission's Europa.eu web hub where over 90 GB of sensitive data was reportedly exfiltrated, according to HackRead's reporting. This claim has not been independently confirmed in Tier 1 sources as of the writing of this investigation.\n\nThe broader developer ecosystem impact is significant given the download volumes: @tanstack/react-router alone had 12.7 million weekly downloads, and the AntV wave's echarts-for-react package had approximately 1.1 million weekly downloads. Any developer machine or CI/CD system that ran npm install with an affected package version during the exposure window should be treated as potentially compromised.","heading":"Known Affected Organizations and Downstream Impact","severity":"critical","sources":[{"credibility":2,"name":"Paubox: OpenAI TanStack incident exposes rising software supply chain risk","type":"news_article","url":"https://www.paubox.com/blog/openai-tanstack-incident-exposes-rising-software-supply-chain-risk"},{"credibility":1,"name":"OpenAI: Our response to the TanStack npm supply chain attack","type":"official","url":"https://openai.com/index/our-response-to-the-tanstack-npm-supply-chain-attack/"},{"credibility":2,"name":"HackRead: TeamPCP Used Mini Shai-Hulud Worm to Poison Over 400 npm and PyPI Packages","type":"news_article","url":"https://hackread.com/teampcp-mini-shai-hulud-worm-npm-pypi-packages/"},{"credibility":2,"name":"Pasquale Pillitteri: TanStack npm Supply Chain Attack — 2 OpenAI Employee Devices Hit","type":"news_article","url":"https://pasqualepillitteri.it/en/news/2644/tanstack-npm-supply-chain-attack-openai-2026"}]},{"content":"The following indicators were published by researchers and TanStack's postmortem. Organizations that ran npm install between approximately 19:20 UTC on May 11, 2026 and 23:55 UTC on May 11, 2026 should check for these artifacts.\n\nCVE: CVE-2026-45321. GHSA: GHSA-g7cv-rxg3-hmpx. CVSS: 9.6 (Critical).\n\nMalicious file: router_init.js at the package root of any affected @tanstack/* package. SHA-256: ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c.\n\nSuspicious optionalDependencies entry in package.json: @tanstack/setup pointing to github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c.\n\nAttacker fork: github.com/zblgg/configuration. Orphan commit: 79ac49eedf774dd4b0cfa308722bc463cfe5885c.\n\nPrimary exfiltration domains: filev2.getsession.org, seed1.getsession.org, seed2.getsession.org, seed3.getsession.org. Typosquat domain: git-tanstack.com. IP: 83.142.209.194.\n\nDead-drop git commit author: claude@users.noreply.github.com.\n\nPersistence artifacts (survive npm uninstall): .claude/router_runtime.js, .claude/settings.json (modified), .claude/setup.mjs, .vscode/setup.mjs, .vscode/tasks.json. Linux: ~/.local/bin/gh-token-monitor.sh and systemd service gh-token-monitor. macOS: ~/Library/LaunchAgents/com.user.gh-token-monitor.plist.\n\nNpm token with description 'IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner' — do not revoke this token from an affected machine before first stopping the dead-man's switch process.","heading":"Indicators of Compromise","severity":"critical","sources":[{"credibility":2,"name":"Strobes: TanStack npm Supply Chain Attack 2026","type":"research","url":"https://strobes.co/blog/tanstack-npm-supply-chain-attack/"},{"credibility":2,"name":"Snyk: TanStack npm Packages Hit by Mini Shai-Hulud","type":"research","url":"https://snyk.io/blog/tanstack-npm-packages-compromised/"},{"credibility":1,"name":"CVE-2026-45321 advisory (GitLab advisories mirror)","type":"regulatory","url":"https://advisories.gitlab.com/npm/@tanstack/react-router-ssr-query/CVE-2026-45321/"}]},{"content":"TanStack's immediate response on May 11, 2026 included deprecating all 84 affected package versions in batches between 20:19 and 21:03 UTC, purging all GitHub Actions cache entries, restructuring workflows with repository_owner guards, and pinning all third-party action references to specific commit SHAs. A CVE was requested and formal IOCs were provided to npm and GitHub security teams.\n\nFor affected users and organizations, the recommended remediation sequence is: (1) Before rotating any credentials, disable the dead-man's switch — on Linux, stop the systemd service gh-token-monitor; on macOS, unload the LaunchAgent com.user.gh-token-monitor.plist. Failure to perform this step first may trigger a destructive rm -rf ~/ command. (2) Delete node_modules and reinstall: rm -rf node_modules && npm install. (3) Delete persistence artifacts listed in the Indicators of Compromise section. (4) From a clean, unaffected machine, rotate all potentially exposed credentials including AWS keys, GCP credentials, GitHub personal access tokens, npm tokens, Kubernetes service account tokens, HashiCorp Vault tokens, and SSH private keys. (5) Audit all npm packages maintained by the affected npm account for unauthorized versions published on or after May 11, 2026. (6) Block the IOC domains at DNS or proxy level. (7) If cryptocurrency wallet files were present on the affected machine, transfer funds to a new wallet immediately.\n\nFor CI/CD hardening, GitHub recommends pinning OIDC token trust policies to specific workflow files and branches (not just the repository), adding first-time contributor approval requirements for pull_request_target workflows, and regularly purging Actions cache entries.","heading":"Remediation and Response","severity":"high","sources":[{"credibility":1,"name":"TanStack Blog: Postmortem — npm supply-chain compromise","type":"official","url":"https://tanstack.com/blog/npm-supply-chain-compromise-postmortem"},{"credibility":2,"name":"StepSecurity: TeamPCP's Mini Shai-Hulud Is Back","type":"research","url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"},{"credibility":2,"name":"Heise Online: Supply chain attack on TanStack — 42 packages compromised","type":"news_article","url":"https://www.heise.de/en/news/Supply-chain-attack-on-TanStack-42-packages-compromised-11291014.html"}]},{"content":"The May 2026 TanStack attack is widely cited in the security research community as a watershed event for software supply chain security assumptions. SLSA (Supply-chain Levels for Software Artifacts) Build Level 3 is the highest standard for verifying that a software artifact was built by an expected, tamper-resistant process. The TanStack malicious packages carried valid SLSA Build Level 3 attestations, correctly signed by Sigstore's public Rekor transparency log, accurately attesting that the packages were built by the release.yml workflow on the refs/heads/main branch — because the exploit hijacked that workflow from within.\n\nThis demonstrates that SLSA provenance attestations verify the build process, not the integrity of the inputs to or behavior of that process. The vulnerability was in the OIDC trust configuration: pinning only the repository (not the specific workflow file or branch) allowed the stolen OIDC token to mint valid attestations for any publish. A fully hardened configuration would pin the workflow field to .github/workflows/release.yml and the branch to refs/heads/main.\n\nThe Akamai research blog described the incident as evidence that 'valid attestations do not guarantee payload safety' and called it 'the first documented npm worm that produces validly-attested malicious packages.' The Cloud Security Alliance published a research note on the multi-ecosystem implications of the Mini Shai-Hulud campaign pattern.","heading":"SLSA Provenance and Supply Chain Security Implications","severity":"high","sources":[{"credibility":2,"name":"Akamai: Mini Shai-Hulud — The Worm Returns and Goes Public","type":"research","url":"https://www.akamai.com/blog/security-research/mini-shai-hulud-worm-returns-goes-public"},{"credibility":2,"name":"Cloud Security Alliance: Mini Shai-Hulud — Multi-Ecosystem Developer Supply Chain Attack","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-mini-shai-hulud-multi-ecosystem-supply-cha/"},{"credibility":2,"name":"ReversingLabs: Team PCP's Mini Shai-Hulud tears at open-source trust","type":"research","url":"https://www.reversinglabs.com/blog/mini-shai-hulud-tears-at-oss-trust"}]}],"sources_used":[{"credibility":1,"name":"TanStack Blog: Postmortem — npm supply-chain compromise","type":"official","url":"https://tanstack.com/blog/npm-supply-chain-compromise-postmortem"},{"credibility":2,"name":"Snyk: TanStack npm Packages Hit by Mini Shai-Hulud","type":"research","url":"https://snyk.io/blog/tanstack-npm-packages-compromised/"},{"credibility":2,"name":"StepSecurity: TeamPCP's Mini Shai-Hulud Is Back","type":"research","url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"},{"credibility":2,"name":"Orca Security: TanStack and 160+ npm/PyPI Packages Compromised in Supply Chain Worm Attack","type":"research","url":"https://orca.security/resources/blog/tanstack-npm-supply-chain-worm/"},{"credibility":2,"name":"Heise Online: Supply chain attack on TanStack — 42 packages compromised","type":"news_article","url":"https://www.heise.de/en/news/Supply-chain-attack-on-TanStack-42-packages-compromised-11291014.html"},{"credibility":2,"name":"Strobes: TanStack npm Supply Chain Attack 2026","type":"research","url":"https://strobes.co/blog/tanstack-npm-supply-chain-attack/"},{"credibility":2,"name":"Rescana: TanStack npm Supply Chain Attack — Detailed Analysis","type":"research","url":"https://www.rescana.com/post/tanstack-npm-supply-chain-attack-detailed-analysis-of-the-may-2026-github-actions-breach-and-multi-ecosystem-impact"},{"credibility":1,"name":"OpenAI: Our response to the TanStack npm supply chain attack","type":"official","url":"https://openai.com/index/our-response-to-the-tanstack-npm-supply-chain-attack/"},{"credibility":1,"name":"SecurityWeek: Bitwarden NPM Package Hit in Supply Chain Attack","type":"news_article","url":"https://www.securityweek.com/bitwarden-npm-package-hit-in-supply-chain-attack/"},{"credibility":2,"name":"SOCRadar: Bitwarden CLI Hijacked in npm Supply Chain Attack Linked to TeamPCP","type":"research","url":"https://socradar.io/blog/bitwarden-cli-hijacked-npm-supply-chain-teampcp/"},{"credibility":2,"name":"HackRead: TeamPCP Used Mini Shai-Hulud Worm to Poison Over 400 npm and PyPI Packages","type":"news_article","url":"https://hackread.com/teampcp-mini-shai-hulud-worm-npm-pypi-packages/"},{"credibility":1,"name":"Microsoft Security Blog: Mini Shai-Hulud — Compromised @antv npm packages enable CI/CD credential theft","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/"},{"credibility":1,"name":"The Register: Shai-Hulud malware worms Red Hat npm packages downloaded 80K times a week","type":"news_article","url":"https://www.theregister.com/security/2026/06/01/shai-hulud-malware-infects-red-hat-npm-packages-downloaded-80k-times-weekly/5249803"},{"credibility":1,"name":"Help Net Security: Red Hat npm packages compromised in new Mini Shai-Hulud malware wave","type":"news_article","url":"https://www.helpnetsecurity.com/2026/06/02/red-hat-npm-packages-compromised-mini-shai-hulud/"},{"credibility":2,"name":"Snyk: Mini Shai-Hulud Hits AntV — 300+ Malicious npm Packages Published via Compromised Maintainer Account","type":"research","url":"https://snyk.io/blog/mini-shai-hulud-antv-npm-supply-chain-attack/"},{"credibility":1,"name":"Unit 42 (Palo Alto Networks): The npm Threat Landscape — Attack Surface and Mitigations","type":"research","url":"https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/"},{"credibility":2,"name":"Akamai: Mini Shai-Hulud — The Worm Returns and Goes Public","type":"research","url":"https://www.akamai.com/blog/security-research/mini-shai-hulud-worm-returns-goes-public"},{"credibility":2,"name":"ReversingLabs: Team PCP's Mini Shai-Hulud tears at open-source trust","type":"research","url":"https://www.reversinglabs.com/blog/mini-shai-hulud-tears-at-oss-trust"},{"credibility":2,"name":"Cloud Security Alliance: Mini Shai-Hulud — Multi-Ecosystem Developer Supply Chain Attack","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-mini-shai-hulud-multi-ecosystem-supply-cha/"},{"credibility":1,"name":"CyberScoop: Mini Shai-Hulud returns, compromising hundreds of npm packages","type":"news_article","url":"https://cyberscoop.com/mini-shai-hulud-malware-npm-packages-compromised-again/"},{"credibility":2,"name":"SafeDep: Mass Supply Chain Attack Hits TanStack, Mistral AI npm and PyPI Packages","type":"research","url":"https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral/"},{"credibility":2,"name":"Phoenix Security: TeamPCP / Mini Shai-Hulud npm Campaign","type":"research","url":"https://phoenix.security/teampcp-mini-shai-hulud-npm-atool-maintainer-compromise-2026/"},{"credibility":1,"name":"CVE-2026-45321 advisory (GitLab advisories mirror)","type":"regulatory","url":"https://advisories.gitlab.com/npm/@tanstack/react-router-ssr-query/CVE-2026-45321/"},{"credibility":2,"name":"Paubox: OpenAI TanStack incident exposes rising software supply chain risk","type":"news_article","url":"https://www.paubox.com/blog/openai-tanstack-incident-exposes-rising-software-supply-chain-risk"}],"summary":"On May 11, 2026, threat actor group TeamPCP executed a sophisticated supply chain attack against the TanStack npm ecosystem, compromising 42 packages across 84 malicious versions collectively downloaded millions of times per week. The attack, branded internally as the 'Mini Shai-Hulud' worm, chained three GitHub Actions vulnerabilities to extract an OIDC token from runner memory and autonomously publish credential-stealing payloads that spread to over 170 additional npm and PyPI packages including Mistral AI, UiPath, and OpenSearch. The campaign is the fourth documented wave from TeamPCP, a group active since at least late 2024, and represents the first recorded npm worm to produce validly-attested malicious packages under SLSA Build Level 3 provenance.","timeline":[{"date":"2025-09-01","event":"Mini Shai-Hulud Wave 1: Over 500 npm packages compromised in the first documented wave of the TeamPCP supply chain worm campaign.","source":"Snyk / StepSecurity retrospective reporting","source_url":"https://snyk.io/blog/tanstack-npm-packages-compromised/"},{"date":"2025-11-01","event":"Mini Shai-Hulud Wave 2: 492 packages and 700+ repositories compromised in second worm campaign wave.","source":"Snyk / StepSecurity retrospective reporting","source_url":"https://snyk.io/blog/tanstack-npm-packages-compromised/"},{"date":"2026-02-01","event":"TeamPCP allegedly exploits incomplete credential rotation in Aqua Security's Trivy repository, beginning Wave 3 of the campaign.","source":"HackRead: TeamPCP Used Mini Shai-Hulud Worm to Poison Over 400 npm and PyPI Packages","source_url":"https://hackread.com/teampcp-mini-shai-hulud-worm-npm-pypi-packages/"},{"date":"2026-03-19","event":"Aqua Security's Trivy vulnerability scanner compromised via GitHub Actions; first confirmed TeamPCP attack in the 2026 series.","source":"StepSecurity: TeamPCP's Mini Shai-Hulud Is Back","source_url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"},{"date":"2026-03-23","event":"Checkmarx KICS GitHub Action compromised via stolen personal access tokens. Alleged data breach at European Commission Europa.eu hub (90+ GB of data); this secondary breach claim is unconfirmed in Tier 1 sources.","source":"StepSecurity / HackRead","source_url":"https://hackread.com/teampcp-mini-shai-hulud-worm-npm-pypi-packages/"},{"date":"2026-04-22","event":"Bitwarden CLI npm package (version 2026.4.0) trojanized for approximately 90 minutes. Payload contained string 'Shai-Hulud: The Third Coming'. Bitwarden confirmed no end-user vault data was at risk.","source":"SecurityWeek: Bitwarden NPM Package Hit in Supply Chain Attack","source_url":"https://www.securityweek.com/bitwarden-npm-package-hit-in-supply-chain-attack/"},{"date":"2026-04-29","event":"Socket reports the 'Mini Shai-Hulud' campaign becomes active targeting npm and PyPI packages, including SAP and Intercom ecosystems.","source":"Heise Online: Supply chain attack on TanStack","source_url":"https://www.heise.de/en/news/Supply-chain-attack-on-TanStack-42-packages-compromised-11291014.html"},{"date":"2026-05-10","event":"Attacker GitHub account creates fork github.com/zblgg/configuration at 17:16 UTC. Malicious commit (65bf499d) adds ~30,000-line obfuscated payload to vite_setup.mjs. PR #7378 staged for submission.","source":"TanStack Blog: Postmortem","source_url":"https://tanstack.com/blog/npm-supply-chain-compromise-postmortem"},{"date":"2026-05-11","event":"PR #7378 opened against TanStack/router main branch at ~10:49 UTC. pull_request_target workflows execute fork code. 1.1 GB poisoned GitHub Actions cache entry saved at 11:29 UTC.","source":"TanStack Blog: Postmortem","source_url":"https://tanstack.com/blog/npm-supply-chain-compromise-postmortem"},{"date":"2026-05-11","event":"19:20:39 UTC: First batch of 42 malicious @tanstack/* package versions published via stolen OIDC token. 19:26:14 UTC: Second batch of 42 versions published. 84 total malicious versions live on npm.","source":"TanStack Blog: Postmortem","source_url":"https://tanstack.com/blog/npm-supply-chain-compromise-postmortem"},{"date":"2026-05-11","event":"~19:46 UTC: External researcher ashishkurmi (StepSecurity) publicly discloses the compromise approximately 20 minutes after first publish. TanStack begins deprecating affected versions.","source":"TanStack Blog: Postmortem","source_url":"https://tanstack.com/blog/npm-supply-chain-compromise-postmortem"},{"date":"2026-05-11","event":"Worm self-propagates to 170+ additional npm and PyPI packages by end of day, including Mistral AI, UiPath (65+ packages), OpenSearch, and Guardrails AI. All 84 @tanstack malicious versions deprecated and removed by 23:55 UTC.","source":"Orca Security: TanStack and 160+ npm/PyPI Packages Compromised","source_url":"https://orca.security/resources/blog/tanstack-npm-supply-chain-worm/"},{"date":"2026-05-12","event":"Campaign expands to PyPI, compromising mistralai (version 2.4.6) and guardrails-ai (version 0.10.1).","source":"Orca Security: TanStack and 160+ npm/PyPI Packages Compromised","source_url":"https://orca.security/resources/blog/tanstack-npm-supply-chain-worm/"},{"date":"2026-05-19","event":"300+ malicious npm package versions published across 323 packages in the @antv data visualization ecosystem in a 22-minute automated burst via a compromised maintainer account. Microsoft Security Blog confirms.","source":"Microsoft Security Blog: Mini Shai-Hulud — Compromised @antv npm packages","source_url":"https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/"},{"date":"2026-06-01","event":"96 versions across 32 Red Hat @redhat-cloud-services npm packages compromised via a compromised Red Hat employee GitHub account. Packages had approximately 80,000 weekly downloads.","source":"The Register: Shai-Hulud malware worms Red Hat npm packages","source_url":"https://www.theregister.com/security/2026/06/01/shai-hulud-malware-infects-red-hat-npm-packages-downloaded-80k-times-weekly/5249803"},{"date":"2026-06-02","event":"Phoenix Security reports aggregate campaign total of 600+ compromised packages and 2,500+ compromised GitHub repositories across all Mini Shai-Hulud / TeamPCP waves.","source":"Phoenix Security: TeamPCP / Mini Shai-Hulud npm Campaign","source_url":"https://phoenix.security/teampcp-mini-shai-hulud-npm-atool-maintainer-compromise-2026/"}]},"v":1}