{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/uipath/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["TeamPCP"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@tanstack/react-router","@uipath/apollo-core","@mistralai/mistralai"],"_cs_severities":["high"],"_cs_tags":["supply-chain","npm","malware"],"_cs_type":"threat","_cs_vendors":["TanStack","UiPath","Mistral AI"],"content_html":"\u003cp\u003eOn May 11, 2026, TeamPCP launched a coordinated supply chain attack against the npm ecosystem, compromising packages across multiple namespaces simultaneously. Impacted packages include those in the @tanstack, @uipath, and @mistralai namespaces. The TanStack compromise exploited a chain of three vulnerabilities in GitHub Actions, allowing the attacker to poison the cache and extract OIDC tokens. The published packages contain two infection vectors: an optionalDependencies entry and an embedded ~2.3MB obfuscated file named router_init.js. The UiPath packages use a preinstall script (node setup.mjs) to download the Bun runtime and execute the payload. This campaign uses similar methods to previous TeamPCP operations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a fork of a legitimate repository (e.g., TanStack/router) and renames it (e.g., zblgg/configuration).\u003c/li\u003e\n\u003cli\u003eAttacker opens a pull request to the original repository, triggering a \u003ccode\u003epull_request_target\u003c/code\u003e workflow.\u003c/li\u003e\n\u003cli\u003eThe workflow checks out and executes the attacker\u0026rsquo;s fork code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code poisons the GitHub Actions cache with a malicious pnpm store.\u003c/li\u003e\n\u003cli\u003eLegitimate maintainer pull requests are merged, restoring the poisoned cache.\u003c/li\u003e\n\u003cli\u003eAttacker-controlled binaries extract OIDC tokens from the GitHub Actions runner\u0026rsquo;s process memory (\u003ccode\u003e/proc/\u0026lt;pid\u0026gt;/mem\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uses stolen tokens to publish malicious package versions to npm.\u003c/li\u003e\n\u003cli\u003eThe published packages execute a credential stealer and self-propagating worm that exfiltrates data via git-tanstack[.]com, Session messenger network, and GitHub API dead drops.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromised npm packages can lead to the theft of sensitive credentials, including CI/CD tokens (GitHub Actions OIDC, GitLab, CircleCI), cloud credentials (AWS IMDSv2, GCP, Azure), Kubernetes service accounts, HashiCorp Vault tokens, and package registry tokens. The self-propagating worm functionality allows the attacker to further compromise other npm packages the victim has write access to. On developer machines, the malware installs a persistent gh-token-monitor daemon that polls GitHub and can wipe the home directory if a token is revoked.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSearch lockfiles and CI logs for affected package versions, specifically looking for \u003ccode\u003erouter_init.js\u003c/code\u003e or \u003ccode\u003esetup.mjs\u003c/code\u003e at package roots (see affected packages list in this brief).\u003c/li\u003e\n\u003cli\u003eSearch for the \u003ccode\u003egh-token-monitor\u003c/code\u003e daemon on developer machines and remove it before revoking GitHub tokens to avoid the wiper (see Attack Chain and Overview).\u003c/li\u003e\n\u003cli\u003eBlock the C2 domain \u003ccode\u003egit-tanstack.com\u003c/code\u003e and \u003ccode\u003e*.getsession.org\u003c/code\u003e at the DNS/proxy level (see IOCs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T07:01:02Z","date_published":"2026-05-12T07:01:02Z","id":"https://feed.craftedsignal.io/briefs/2026-05-mini-shai-hulud-npm/","summary":"The Mini Shai-Hulud supply chain campaign, attributed to TeamPCP, has compromised several npm packages, including those within the @tanstack, @uipath, and @mistralai namespaces, leading to credential theft and potential further compromise.","title":"Mini Shai-Hulud Campaign Compromises npm Packages","url":"https://feed.craftedsignal.io/briefs/2026-05-mini-shai-hulud-npm/"}],"language":"en","title":"CraftedSignal Threat Feed — UiPath","version":"https://jsonfeed.org/version/1.1"}