Skip to main content
Sign in

TanStack npm Supply Chain Attack (Mini Shai-Hulud / TeamPCP)

avoid.net/tanstack-npm-supply-chain-attack-mini-shai-hulud-teampcp0/100·93% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·4vYMJ6…1EEW

Summary

On May 11, 2026, threat actor group TeamPCP executed a sophisticated supply chain attack against the TanStack npm ecosystem, compromising 42 packages across 84 malicious versions collectively downloaded millions of times per week. The attack, branded internally as the 'Mini Shai-Hulud' worm, chained three GitHub Actions vulnerabilities to extract an OIDC token from runner memory and autonomously publish credential-stealing payloads that spread to over 170 additional npm and PyPI packages including Mistral AI, UiPath, and OpenSearch. The campaign is the fourth documented wave from TeamPCP, a group active since at least late 2024, and represents the first recorded npm worm to produce validly-attested malicious packages under SLSA Build Level 3 provenance.

Connected Entities

1 entities · 10 linked investigations
Organizations
TanStack npm Supply Chain Attack (Mini Shai-Hulud / TeamPCP)
Relationships
  • + 3 more
Also appears in
Mach-O Man Malware Campaign (Lazarus / Chollima)·0Fake MetaMask Update Phishing Campaign (May 2026)·0TraderTraitor / UNC4899·0Gemcoin·0Bandcampro AI-Assisted Fraud Campaign·2YAM Finance·28Trust Wallet Chrome Extension Hack (December 2025)·28FIFA World Cup 2026 Crypto Scam Tokens·0Trifleck·2DPRK IT Worker Network (Overseas Scheme)·0
Have evidence about TanStack npm Supply Chain Attack (Mini Shai-Hulud / TeamPCP)?

Timeline(16 events)

2025-09-01

Mini Shai-Hulud Wave 1: Over 500 npm packages compromised in the first documented wave of the TeamPCP supply chain worm campaign.

Snyk / StepSecurity retrospective reporting

2025-11-01

Mini Shai-Hulud Wave 2: 492 packages and 700+ repositories compromised in second worm campaign wave.

Snyk / StepSecurity retrospective reporting

2026-02-01

TeamPCP allegedly exploits incomplete credential rotation in Aqua Security's Trivy repository, beginning Wave 3 of the campaign.

HackRead: TeamPCP Used Mini Shai-Hulud Worm to Poison Over 400 npm and PyPI Packages

2026-03-19

Aqua Security's Trivy vulnerability scanner compromised via GitHub Actions; first confirmed TeamPCP attack in the 2026 series.

StepSecurity: TeamPCP's Mini Shai-Hulud Is Back

2026-03-23

Checkmarx KICS GitHub Action compromised via stolen personal access tokens. Alleged data breach at European Commission Europa.eu hub (90+ GB of data); this secondary breach claim is unconfirmed in Tier 1 sources.

StepSecurity / HackRead

2026-04-22

Bitwarden CLI npm package (version 2026.4.0) trojanized for approximately 90 minutes. Payload contained string 'Shai-Hulud: The Third Coming'. Bitwarden confirmed no end-user vault data was at risk.

SecurityWeek: Bitwarden NPM Package Hit in Supply Chain Attack

2026-04-29

Socket reports the 'Mini Shai-Hulud' campaign becomes active targeting npm and PyPI packages, including SAP and Intercom ecosystems.

Heise Online: Supply chain attack on TanStack

2026-05-10

Attacker GitHub account creates fork github.com/zblgg/configuration at 17:16 UTC. Malicious commit (65bf499d) adds ~30,000-line obfuscated payload to vite_setup.mjs. PR #7378 staged for submission.

TanStack Blog: Postmortem

2026-05-11

PR #7378 opened against TanStack/router main branch at ~10:49 UTC. pull_request_target workflows execute fork code. 1.1 GB poisoned GitHub Actions cache entry saved at 11:29 UTC.

TanStack Blog: Postmortem

2026-05-11

19:20:39 UTC: First batch of 42 malicious @tanstack/* package versions published via stolen OIDC token. 19:26:14 UTC: Second batch of 42 versions published. 84 total malicious versions live on npm.

TanStack Blog: Postmortem

2026-05-11

~19:46 UTC: External researcher ashishkurmi (StepSecurity) publicly discloses the compromise approximately 20 minutes after first publish. TanStack begins deprecating affected versions.

TanStack Blog: Postmortem

2026-05-11

Worm self-propagates to 170+ additional npm and PyPI packages by end of day, including Mistral AI, UiPath (65+ packages), OpenSearch, and Guardrails AI. All 84 @tanstack malicious versions deprecated and removed by 23:55 UTC.

Orca Security: TanStack and 160+ npm/PyPI Packages Compromised

2026-05-12

Campaign expands to PyPI, compromising mistralai (version 2.4.6) and guardrails-ai (version 0.10.1).

Orca Security: TanStack and 160+ npm/PyPI Packages Compromised

2026-05-19

300+ malicious npm package versions published across 323 packages in the @antv data visualization ecosystem in a 22-minute automated burst via a compromised maintainer account. Microsoft Security Blog confirms.

Microsoft Security Blog: Mini Shai-Hulud — Compromised @antv npm packages

2026-06-01

96 versions across 32 Red Hat @redhat-cloud-services npm packages compromised via a compromised Red Hat employee GitHub account. Packages had approximately 80,000 weekly downloads.

The Register: Shai-Hulud malware worms Red Hat npm packages

2026-06-02

Phoenix Security reports aggregate campaign total of 600+ compromised packages and 2,500+ compromised GitHub repositories across all Mini Shai-Hulud / TeamPCP waves.

Phoenix Security: TeamPCP / Mini Shai-Hulud npm Campaign
Provenance & Audit Trail
Anchored on SolanaVerify on-chain

Decision Log

This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

full audit log →version history →

model: claude-sonnet-4-6

generated: 6/16/2026, 12:06:09 PM

last updated: 6/16/2026, 12:06:26 PM

avoid.net — verified advice for a post-truth world