TanStack and 160+ npm/PyPI Packages Compromised in Supply Chain Worm Attack

Key Takeaways

• Critical supply chain compromise disclosed May 12, 2026
• TanStack, Mistral AI, UiPath, and 160+ npm/PyPI packages affected
• TeamPCP attacker group
• Named “Mini Shai-Hulud” due to credential theft, self-propagation, and destructive wiper
• Immediate action required

Executive Summary

A critical supply chain compromise was disclosed on May 12, 2026, affecting TanStack, Mistral AI, UiPath, and over 160 additional npm and PyPI packages. The attack, attributed to the threat actor group TeamPCP and dubbed “Mini Shai-Hulud,” allows attackers to steal credentials, self-propagate through the npm ecosystem, and potentially wipe developer home directories via a persistent destructive daemon. Due to the active exploitation and worm-like propagation, immediate action is required.

How the Exploit Chain Worked

The issue originates from a chain of three GitHub Actions vulnerabilities exploited in sequence. The attacker forked the TanStack/router repository, opened a pull request that triggered a pull_request_target workflow, and poisoned the GitHub Actions cache with a malicious pnpm store. When legitimate maintainer merges later triggered the release workflow, the poisoned cache was restored and attacker-controlled binaries extracted OIDC tokens directly from the GitHub Actions runner process memory via /proc/<pid>/mem. These tokens were then used to publish malicious package versions to npm without ever needing to steal long-lived credentials. Because the malicious packages were published from within the legitimate GitHub Actions runner using valid OIDC tokens, they carry valid npm provenance attestations, meaning provenance alone is not a reliable safety signal for this attack.

How the Worm Propagates

By installing any affected package version, the malicious payload executes during npm lifecycle hooks and steals GitHub tokens, npm tokens, AWS credentials (via IMDSv2), GCP and Azure credentials, Kubernetes service account tokens, HashiCorp Vault tokens, and environment variables. The payload then identifies npm packages the victim has publish access to, modifies those package archives to inject the same malicious dependency, bumps versions, and publishes new compromised releases using the stolen credentials. This worm behavior means each compromised developer or CI runner becomes a new infection vector, amplifying the attack across the ecosystem.

The gh-token-monitor Wiper

A particularly dangerous component is the persistent wiper daemon called gh-token-monitor. If the payload finds a valid GitHub token with repo write access and org membership, it installs a daemon that polls GitHub every 60 seconds. If the token is revoked, the daemon executes rm -rf ~/, wiping the user’s home directory. On macOS this persists via a LaunchAgent plist, and on Linux via a systemd user service. The daemon automatically exits after 24 hours. Security teams must locate and remove this daemon before revoking any GitHub tokens to avoid triggering the destructive payload.

No CVE has been assigned at the time of writing. Aikido Security classifies this as a 100/100 Critical malware issue. No authentication is required to exploit this issue since it triggers automatically during package installation.

Scope of Compromise

The following components are affected across 373 malicious package-version entries spanning 169 npm package names and 2 PyPI packages. The primary affected namespaces include @tanstack (83 entries across router, start, devtools, and adapter packages), @uipath (66 entries), @squawk (87 entries), @mistralai (including mistralai, mistralai-azure, and mistralai-gcp), @tallyui, @beproduct, and numerous unscoped packages such as intercom-client, lightning, and opensearch-project/opensearch. On PyPI, the affected packages are guardrails-ai 0.10.1 and mistralai 2.4.6.

Exfiltration uses a triple-channel C2 architecture including the typosquat domain git-tanstack[.]com, the decentralized Session messenger network (via getsession.org seed nodes), and GitHub API dead drops where stolen tokens create Dune-themed repositories. The Session network channel is new in this wave and significantly harder to disrupt than domain-based C2.

Immediate Mitigation Steps

Users should immediately check for the persistence daemon at ~/Library/LaunchAgents/com.user.gh-token-monitor.plist on macOS or ~/.config/systemd/user/gh-token-monitor.service on Linux and remove it before revoking any tokens. Then audit lockfiles and CI logs for any affected package versions, check .claude/ and .vscode/ directories for persisted payload files such as router_runtime.js or setup.mjs which survive npm uninstall, and rotate all credentials from any affected machine or runner including npm tokens, GitHub PATs, AWS/GCP/Azure credentials, Kubernetes service account tokens, and CI/CD secrets. Block git-tanstack[.]com, *.getsession.org, and 83.142.209[.]194 at the DNS or proxy level. Upgrade to clean versions published by maintainers after May 12, 2026.

Why This Attack Matters

At the time of writing, this is an actively exploited supply chain attack with no separate proof of concept needed since the malicious packages themselves are the exploit. The npm team has been notified and is actively removing affected versions. This is the third documented wave from TeamPCP, following compromises of SAP npm packages in late April 2026 and PyTorch Lightning on April 30, 2026.

How Can Orca Help?

Orca enables customers to quickly identify assets running vulnerable versions, understand their exposure in context including internet accessibility, runtime reachability, and asset criticality, and prioritize remediation based on real risk rather than CVSS alone. Orca’s platform highlights affected assets directly in the newItem view, helping security teams focus on the most critical remediation paths first.

UPDATE May 12th 17:00UTC

In a troubling development, TeamPCP briefly published the Shai-Hulud source code on GitHub before the repository was removed. Copies have already been mirrored online, enabling defenders to improve detections but also giving threat actors a ready-made foundation to create new variants, similar to how the Mirai botnet evolved after its source code was released publicly. This significantly increases the likelihood of copycat attacks and derivative strains. At this moment it is too early to know the full impact this will have, but we continue to monitor for any developments.