New ‘Shai-Hulud’ attack breached hundreds of npm and PyPI packages

A rapidly expanding supply-chain attack tied to the “Mini Shai-Hulud” malware campaign has compromised more than 400 package artifacts across npm, PyPI, and Composer repositories.

The breached projects include widely used libraries from TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI.

Security researchers at Socket, Endor Labs, and Aikido say the malware steals credentials from developer systems and CI/CD pipelines, then uses them to automatically publish additional infected packages, allowing the campaign to spread across the open-source ecosystem.

The attack was first identified on May 11 after Socket detected malicious versions of 84 packages in the @tanstack namespace, including @tanstack/react-router, which receives more than 12 million weekly downloads. TanStack is a widely used open-source JavaScript ecosystem powering routing, state management, and full-stack web applications.

According to a postmortem by TanStack maintainer Tanner Linsley, the attackers chained together several GitHub Actions weaknesses, including the pull_request_target “Pwn Request” pattern, cache poisoning, and the runtime extraction of OIDC publishing tokens from GitHub Actions runners.

The attackers created an orphaned commit in a malicious fork of the TanStack/router repository and referenced it through a Git-based optional dependency:

optionalDependencies": {
"@tanstack/setup": "github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c"
}

That dependency executed a prepare lifecycle hook running tanstack_runner.js, a heavily obfuscated payload launched automatically during npm install.

Researchers say the malware harvests:

• GitHub tokens
• npm credentials
• AWS keys
• Kubernetes service account tokens
• Vault secrets
• SSH keys
• CI environment variables

It also abuses GitHub OIDC trusted publishing workflows to mint fresh npm publish tokens, allowing the worm to republish itself into packages maintained by compromised developers.

Socket’s analysis found the malware used persistence mechanisms targeting both VS Code and Anthropic’s Claude Code tooling by writing malicious files into .vscode/ and .claude/ directories. Exfiltration traffic was routed through the decentralized Session Messenger network using filev2.getsession[.]org, making command-and-control activity harder to detect.

The campaign quickly expanded beyond TanStack. Socket later identified compromised packages tied to OpenSearch, Mistral AI, UiPath, and dozens of @squawk/* packages, while Aikido said the campaign eventually affected 169 npm package names containing 373 malicious package-version entries.

Researchers also confirmed compromises on PyPI, including mistralai==2.4.6 and guardrails-ai==0.10.1. The malicious guardrails-ai release executed code on import and downloaded a remote Python payload from git-tanstack[.]com.

Previous “Shai-Hulud” campaigns targeted SAP, Zapier, ENS Domains, Postman, and other projects over the past year. Researchers noted the reuse of Dune-themed references and repositories named “A Mini Shai-Hulud has Appeared.”

TanStack has since deprecated all affected versions, purged GitHub Actions cache entries, hardened workflows, and coordinated with npm security to remove malicious packages.

Organizations that installed affected versions are advised to immediately rotate credentials accessible from impacted systems, audit npm publishing activity and GitHub Actions workflows for unauthorized releases, and search environments for indicators including router_init.js, tanstack_runner.js, router_runtime.js, and references to the malicious Git commit hash (79ac49eedf774dd4b0cfa308722bc463cfe5885c).

Researchers also recommend using lockfiles, disabling install scripts in CI with npm ci –ignore-scripts, and restricting GitHub OIDC publishing permissions to specific protected workflows and branches.