Shai-Hulud Worm Steals Developer Secrets in Major npm and PyPI Supply Chain Attack

A new wave of the Shai-Hulud supply chain campaign is stealing developer secrets from npm, GitHub, AWS, Kubernetes, and CI/CD environments while spreading through trusted package publishing workflows.

The May 2026 wave, widely tracked as Mini Shai-Hulud, compromised more than 170 npm packages and two PyPI packages, according to researchers tracking the campaign. The affected ecosystem included TanStack, Mistral AI, UiPath, OpenSearch, Guardrails AI, Squawk, and other developer tools.

The attack is dangerous because it does not rely only on fake packages. In several cases, malicious versions were published through legitimate release pipelines, which made the packages appear trusted to developers and automated build systems.

What happened in the Shai-Hulud campaign

The latest wave began spreading through the npm ecosystem on May 11, 2026. Researchers said attackers compromised TanStack’s release process and published 84 malicious package artifacts across 42 packages in the @tanstack namespace.

The malware then spread beyond TanStack. Security firms tracked malicious versions affecting other npm packages and two PyPI packages, including Mistral AI’s Python SDK and Guardrails AI.

SafeDep said the campaign involved more than 170 npm packages, two PyPI packages, and 404 malicious versions. Aikido reported 373 malicious package-version entries across 169 npm package names. The difference comes from how each team counted affected packages and versions during a fast-moving incident.

Item	Details
Campaign name	Mini Shai-Hulud
Threat actor	TeamPCP
Main targets	Developer machines, CI/CD runners, npm packages, PyPI packages
Known ecosystems hit	TanStack, Mistral AI, UiPath, OpenSearch, Guardrails AI, Squawk
Main goal	Credential theft, package poisoning, and automated propagation
Key risk	Stolen secrets can allow attackers to publish more malicious packages

How the worm spreads through developer infrastructure

Mini Shai-Hulud behaves like a worm. Once it compromises a build pipeline or developer environment, it searches for credentials that can publish more packages.

In the TanStack incident, researchers said attackers chained a pull_request_target abuse path, GitHub Actions cache poisoning, and OIDC token extraction from runner memory. That allowed malicious versions to come from a legitimate release workflow.

This matters because software provenance alone did not stop the attack. Snyk reported that the malicious TanStack npm packages carried valid SLSA provenance because the trusted pipeline itself had been hijacked.

• The malware lands through a compromised npm or PyPI package.
• It runs during install, import, or build activity depending on the package type.
• It scans developer systems and CI/CD runners for secrets.
• It steals npm tokens, GitHub credentials, cloud keys, SSH keys, and other secrets.
• It uses stolen publishing access to poison more packages.
• It adds persistence in developer tools and coding environments.

What Shai-Hulud steals

The malware targets the systems developers use to build and ship software. That includes local workstations, GitHub Actions runners, package publishing pipelines, and environments connected to cloud infrastructure.

StepSecurity said the payload can harvest credentials from more than 100 file paths, including cloud provider files, cryptocurrency wallets, AI tool settings, messaging apps, and developer configuration files.

Datadog’s static analysis of the leaked source code found modules for credential collection from the filesystem, shell environment, GitHub Actions runners, AWS, Kubernetes, and HashiCorp Vault.

Secret type	Why it matters
npm tokens	Can allow attackers to publish malicious package versions
GitHub tokens	Can expose source code, Actions workflows, and release pipelines
AWS keys	Can give access to cloud resources, data, and deployment systems
Kubernetes tokens	Can expose clusters, workloads, and service accounts
SSH keys	Can support lateral movement into servers and repositories
CI/CD secrets	Can let attackers poison builds and releases at scale

TeamPCP released the malware source code

The campaign became more dangerous after TeamPCP released Shai-Hulud source code on GitHub on May 12, 2026.

Security researchers said the release included deployment instructions and appeared under the phrase “A Gift From TeamPCP.” GitHub removed the repository, but researchers said forks and copies appeared before the takedown could stop reuse.

Datadog described the released code as a modular TypeScript and Bun framework for credential harvesting, encrypted exfiltration, supply chain poisoning, and persistence. OX Security later reported that copycat actors had already started uploading Shai-Hulud clones to npm.

Copycat attacks are already appearing

The public source code changed the threat from one controlled campaign into a reusable attack framework. Other actors can now modify the code, change command-and-control servers, and upload their own malicious packages.

OX Security reported new npm packages using Shai-Hulud clone behavior after the TeamPCP source release. One package was described as an almost direct copy of the leaked source code.

This means the risk may continue even after the original malicious packages are removed. Defenders now need to watch for new package names, typo-squatting attempts, and modified Shai-Hulud payloads.

PyPI packages used a different payload path

The campaign also crossed into the Python ecosystem. SafeDep said the malicious PyPI packages included mistralai 2.4.6 and guardrails-ai 0.10.1.

Unlike the npm packages, the PyPI payload executed on import. It downloaded a secondary payload named transformers.pyz from git-tanstack.com and ran it on Linux systems.

Mistral AI said the incident affected some SDK packages through a third-party TanStack supply chain attack. The company said an affected developer device was involved and that its infrastructure was not compromised.

Package ecosystem	Known behavior	Example indicators
npm	Install-time payloads, CI/CD secret theft, package poisoning	setup.mjs, router_init.js, Session Protocol exfiltration
PyPI	Import-time payload that downloads a secondary Python archive	git-tanstack.com, transformers.pyz, /tmp/transformers.pyz
GitHub Actions	Runner memory token theft and trusted publishing abuse	OIDC token extraction, poisoned release workflows
Developer tools	Persistence through local configuration changes	.claude and .vscode configuration files

Claude Code and developer tool persistence

Shai-Hulud does not only steal secrets and leave. Researchers found persistence behavior aimed at developer tools, including Claude Code and VS Code.

StepSecurity said the malware installs persistence hooks in Claude Code, VS Code, and operating system services that can survive reboots. SafeDep also listed dropped files under .claude and .vscode paths as indicators.

OX Security found an “Anthropic Magic String” inside the source code release, which researchers described as a string designed to prevent Claude Code from analyzing the profile. This adds another layer of concern for teams using AI coding assistants in development workflows.

Why this attack is hard to detect

The campaign abuses the same systems developers trust every day: package registries, GitHub Actions, OIDC publishing, release pipelines, and package provenance.

In the TanStack case, malicious packages came from a trusted release pipeline. That makes them harder to catch with checks that only ask whether a package came from the expected maintainer or build system.

The attack also moves quickly. A compromised package can steal secrets, publish more poisoned packages, and create persistence before a developer or CI job shows clear signs of compromise.

• Trusted release pipelines can publish malicious packages if the pipeline is hijacked.
• Valid provenance does not prove that the built code was safe.
• CI/CD secrets can spread the attack to more packages.
• Developer workstations can become long-term sources of stolen credentials.
• Public source code increases the risk of copycat attacks.

Indicators defenders should check

Security teams should review dependency lockfiles, CI logs, developer machines, and GitHub repositories for signs of Mini Shai-Hulud activity.

Indicators vary by wave and package ecosystem, but several artifacts appeared repeatedly in public reporting. Teams should combine these with package-version lists from security vendors and registry advisories.

Indicator type	Indicator	Reason to check
Domain	git-tanstack.com	Used in the PyPI payload chain for transformers.pyz
File	setup.mjs	Install-time payload artifact in npm attacks
File	router_init.js	Payload name tied to TanStack-related compromise reporting
File	transformers.pyz	Secondary payload downloaded by malicious PyPI packages
Path	/tmp/transformers.pyz	Linux payload staging path
Config path	.claude/settings.json	Developer tool persistence indicator
Config path	.vscode/tasks.json	Developer tool persistence indicator
GitHub marker	A Mini Shai-Hulud has Appeared	Marker used in GitHub dead-drop repositories

What developers should do now

Developers should first check whether they installed any affected package versions during the May 2026 campaign window. This includes direct installs and transitive installs captured in lockfiles.

If a compromised package ran on a local machine or CI runner, teams should assume secrets available to that environment were exposed. Removing the package is not enough because the malware may have changed developer tool configuration or created persistence.

Credential rotation should happen only after containment. If teams rotate secrets before removing persistence, the malware may steal the new credentials as well.

1. Check package lockfiles for affected TanStack, Mistral AI, UiPath, OpenSearch, Guardrails AI, Squawk, and related packages.
2. Remove malicious versions and pin dependencies to known-good releases.
3. Contain affected developer machines and CI runners before rotating secrets.
4. Review .claude, .vscode, and related configuration files for unauthorized hooks.
5. Rotate npm, GitHub, AWS, Kubernetes, PyPI, SSH, and CI/CD credentials exposed to affected systems.
6. Audit GitHub Actions workflows for unexpected changes and suspicious pull_request_target usage.
7. Review OIDC trust policies and package publishing permissions.
8. Search GitHub repositories for Shai-Hulud marker strings and unexpected commits.
9. Block known malicious domains and review outbound connections from build systems.
10. Add a cooldown period before newly released packages can enter CI/CD pipelines.

How organizations can reduce future supply chain risk

Shai-Hulud shows that attackers now target the software delivery system itself. This includes maintainers, release workflows, trusted publishing identities, CI runners, and developer workstations.

Organizations should treat CI/CD runners and developer machines as high-value assets. They often hold access to source code, packages, infrastructure, secrets, and production deployment paths.

Controls should focus on limiting blast radius. Short-lived credentials, least-privilege publishing rights, isolated runners, package allowlists, dependency cooldowns, and runtime monitoring can reduce damage when a package turns malicious.

• Use short-lived tokens and remove long-lived publishing secrets where possible.
• Limit which workflows can publish packages.
• Separate build, test, and release permissions.
• Avoid exposing broad cloud credentials to package install steps.
• Monitor dependency updates from newly released package versions.
• Review AI coding assistant configuration files as part of incident response.
• Use isolated CI runners for high-risk dependency installation.
• Disable unnecessary install scripts in CI where practical.

The larger lesson from Shai-Hulud

Mini Shai-Hulud marks a shift in open-source attacks. Attackers are no longer only uploading fake packages and waiting for developers to make mistakes.

They are hijacking trusted automation, stealing publishing identities, creating valid-looking package releases, and using the victim’s own supply chain to reach the next target.

For engineering and security teams, the response needs to go beyond dependency scanning. Teams need visibility into what code does during install and build time, what secrets each pipeline can access, and how quickly they can revoke trust when a package becomes compromised.

FAQ