Mini Shai-Hulud Alert: TeamPCP Hijacks @tanstack and PyPI to Poison 12 Million Weekly Downloads

The Mini Shai-Hulud incursion has once again laid siege to the software supply chain. While the initial offensive primarily targeted SAP modules, this malignant architecture has since metastasized into hundreds of contaminated iterations, specifically compromising the repositories where developers’ most coveted credentials reside.

This subsequent wave has permeated both npm and PyPI, infiltrating esteemed development instruments and exposing a distressing reality: neither Two-Factor Authentication (2FA), trusted publishing via GitHub Actions, nor meticulous build provenance records can definitively guarantee the integrity of a distributed package.

According to intelligence from Aikido, 373 malevolent versions across 169 npm packages have been unearthed. Wiz.io attributes this campaign to the collective TeamPCP, noting that the operation commenced on May 11, 2026, and instantaneously affected multiple namespaces. Endor Labs further identified over 160 compromised versions, emphasizing that 84 of these belonged to the @tanstack ecosystem—including @tanstack/react-router, which commands nearly 12 million weekly downloads.

In addition to TanStack, the breach afflicted namespaces such as @uipath, @mistralai, @squawk, @tallyui, and @taskflow-corp, alongside several standalone packages. Wiz.io also documented compromised PyPI distributions, specifically guardrails-ai 0.10.1 and mistralai 2.4.6. It was later clarified that a defect within the payloads for @uipath and @mistralai rendered the malicious code inert in those specific instances.

The most conspicuous facet of the assault centered on TanStack. Investigators revealed that the adversaries utilized a fork of the TanStack/router repository and an isolated commit—detached from the primary branch—with the hash 79ac49eedf774dd4b0cfa308722bc463cfe5885c. Although this commit was absent from the project’s official history, GitHub’s architecture permitted direct access to it. Through this maneuver, the attackers introduced a dependency on @tanstack/setup, utilizing a prepare script to execute tanstack_runner.js.

The compromised packages also harbored an obfuscated file, router_init.js, spanning approximately 2.3 MB. During installation, the prepare script of the Git dependency could trigger the execution of the payload on a developer’s workstation or a CI runner. The eventual failure of the command appeared benign, as the dependency was designated as optional.

A profound risk is associated with Trusted Publishing via GitHub Actions. Attackers successfully obtained ephemeral npm tokens through OIDC, enabling the publication of illicit versions without the theft of long-lived credentials. Consequently, build provenance records merely validated the origin of the build without attesting to its safety or authorization.

The Mini Shai-Hulud payload systematically scoured for GitHub and npm tokens, GitHub Actions secrets, cloud credentials for AWS, GCP, and Azure, Kubernetes tokens, HashiCorp Vault data, and SSH keys. Persistence was achieved on local machines through the manipulation of .claude and .vscode directories. Wiz.io also identified a gh-token-monitor daemon for macOS and Linux designed to facilitate ongoing token verification.

Exfiltration was conducted through several channels, including the domain git-tanstack.com, the Session network via filev2.getsession.org, and decoy GitHub repositories themed after Dune. In the Python variant, Wiz.io observed the retrieval of transformers.pyz and the exfiltration of credentials from password managers such as 1Password and Bitwarden.

The consensus among security researchers is clear: Mini Shai-Hulud has evolved beyond mere credential harvesting to transform developer access and CI/CD pipelines into a sophisticated new conduit for malware distribution. Security teams are urged to audit lock-files, CI logs, and caches for the presence of router_init.js, tanstack_runner.js, and unauthorized dependencies. Upon evidence of a breach, it is imperative to rotate not only npm tokens but also GitHub credentials, cloud keys, and Vault secrets, while meticulously verifying all internal package publications finalized after May 11, 2026.