Mini Shai-Hulud Campaign Compromises npm Packages
The Mini Shai-Hulud supply chain campaign, attributed to TeamPCP, has compromised several npm packages, including those within the @tanstack, @uipath, and @mistralai namespaces, leading to credential theft and potential further compromise.
On May 11, 2026, TeamPCP launched a coordinated supply chain attack against the npm ecosystem, compromising packages across multiple namespaces simultaneously. Impacted packages include those in the @tanstack, @uipath, and @mistralai namespaces. The TanStack compromise exploited a chain of three vulnerabilities in GitHub Actions, allowing the attacker to poison the cache and extract OIDC tokens. The published packages contain two infection vectors: an optionalDependencies entry and an embedded ~2.3MB obfuscated file named router_init.js. The UiPath packages use a preinstall script (node setup.mjs) to download the Bun runtime and execute the payload. This campaign uses similar methods to previous TeamPCP operations.
Attack Chain
- Attacker creates a fork of a legitimate repository (e.g., TanStack/router) and renames it (e.g., zblgg/configuration).
- Attacker opens a pull request to the original repository, triggering a
pull_request_targetworkflow. - The workflow checks out and executes the attacker’s fork code.
- The attacker’s code poisons the GitHub Actions cache with a malicious pnpm store.
- Legitimate maintainer pull requests are merged, restoring the poisoned cache.
- Attacker-controlled binaries extract OIDC tokens from the GitHub Actions runner’s process memory (
/proc/<pid>/mem). - The attacker uses stolen tokens to publish malicious package versions to npm.
- The published packages execute a credential stealer and self-propagating worm that exfiltrates data via git-tanstack[.]com, Session messenger network, and GitHub API dead drops.
Impact
The compromised npm packages can lead to the theft of sensitive credentials, including CI/CD tokens (GitHub Actions OIDC, GitLab, CircleCI), cloud credentials (AWS IMDSv2, GCP, Azure), Kubernetes service accounts, HashiCorp Vault tokens, and package registry tokens. The self-propagating worm functionality allows the attacker to further compromise other npm packages the victim has write access to. On developer machines, the malware installs a persistent gh-token-monitor daemon that polls GitHub and can wipe the home directory if a token is revoked.
Recommendation
- Search lockfiles and CI logs for affected package versions, specifically looking for
router_init.jsorsetup.mjsat package roots (see affected packages list in this brief). - Search for the
gh-token-monitordaemon on developer machines and remove it before revoking GitHub tokens to avoid the wiper (see Attack Chain and Overview). - Block the C2 domain
git-tanstack.comand*.getsession.orgat the DNS/proxy level (see IOCs).
Detection coverage 3
Detect Malicious setup.mjs Execution
highDetects execution of the malicious setup.mjs script used in the UiPath package compromise.
Detect router_init.js File Creation
mediumDetects the creation of the router_init.js file with a specific size associated with the TanStack compromise.
Detect gh-token-monitor Persistence
highDetects installation of the gh-token-monitor LaunchAgent or systemd service.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
5
domain
3
hash_sha256
| Type | Value |
|---|---|
| domain | git-tanstack.com |
| domain | seed1.getsession.org |
| domain | seed2.getsession.org |
| domain | seed3.getsession.org |
| domain | filev2.getsession.org |
| hash_sha256 | ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c |
| hash_sha256 | 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96 |
| hash_sha256 | 2258284d65f63829bd67eaba01ef6f1ada2f593f9bbe41678b2df360bd90d3df |