Mini Shai-Hulud: The NPM Supply Chain Worm Hitting TanStack, Mistral, UiPath, and More
The Mini Shai-Hulud is back. This time, the NPM supply chain worm has compromised over 169 package names, resulting in more than 400 malicious package version entries across some of the most widely used NPM packages, including @tanstack, @mistralai, @uipath, @squawk, @tallyui, and more. Packages like @tanstack/react-router alone account for over 12 million weekly downloads.
This is not a simple credential-stealing script. Mini Shai-Hulud is a self-replicating worm designed to steal secrets from developer machines and CI/CD runners, then use those credentials to publish itself into the next set of packages.
How Mini Shai-Hulud Compromised TanStack
The campaign exploits GitHub Actions rather than stealing maintainer credentials directly. Attackers used the pull_request_target “Pwn Request” pattern to run attacker-controlled code inside a privileged base-repository workflow, poisoned the GitHub Actions cache across the fork-to-base trust boundary, and extracted an OIDC token from the runner process at runtime.With that token, they minted a valid NPM publish credential and pushed malicious versions, without needing to steal an NPM token.
Every compromised package contains two additions: a heavily obfuscated router_init.js payload (~2.3 MB) at the package root, and a new optionalDependencies entry pointing to a malicious GitHub-hosted commit:
"optionalDependencies": {
"@tanstack/setup": "github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c"
}
That commit registers a prepare lifecycle hook that executes the payload via Bun when the dependency installs. Because NPM runs lifecycle hooks for Git-based dependencies automatically, any npm install that resolves an affected version triggers the worm.
How the Mini Shai-Hulud Worm Spreads
- Persistence first. On execution, the payload forks a detached child process with all stdio suppressed, so nothing appears in the install output. It then writes itself into
.claude/settings.json(Claude Code hooks — re-executes on every tool event) and.vscode/tasks.json(VS Code task runner — fires on folder open). This meansnpm uninstallalone does not remove it. - Then it harvests. The payload sweeps GitHub Actions tokens, AWS credentials via both environment variables and IMDSv2, HashiCorp Vault tokens including in-cluster Kubernetes Vault endpoints, and Kubernetes service account tokens. It calls the GitHub REST API to enumerate repository secrets up to the maximum page size.
- Then it spreads. Using the stolen GitHub Actions OIDC token, it mints a fresh NPM publish credential, locates packages the victim account can publish, injects itself into the package archive, bumps the version, and publishes it with a Sigstore provenance attestation. A provenance badge on a package published from a compromised workflow is not proof of safety.
- Exfiltration goes through Session. All harvested credentials are routed through the Session decentralized P2P network (
filev2.getsession[.]org), making C2 traffic indistinguishable from encrypted messaging app traffic at the network layer.
Detecting Mini Shai-Hulud with ArmorCode
1. Ask Anya (AI-driven investigation)
Start with Anya, ArmorCode’s AI-powered security champion, where you can ask targeted questions such as:
- Am I impacted by the Mini Shai-Hulud attack?
- Show me all applications exposed to the Mini Shai-Hulud campaign
- Have any new Mini Shai-Hulud findings been detected in the last 24 hours?
Anya surfaces affected findings across your portfolio with links to drill down by application, component, and severity.
2. Findings Page: Saved View
A pre-built saved view “Mini Shai-Hulud” is available on the Findings page and covers all compromised namespaces and versions from this campaign across your connected scanners.
3. SBOM Page: Saved Views
Saved views under the “Mini Shai-Hulud” folder on the SBOM page show:
Indicators of Compromise
| Category | Value | Description |
| File | router_init.js | Obfuscated payload (~2.34 MB) in @tanstack/* |
| File | tanstack_runner.js | Payload (~2.33 MB) in orphaned commit |
| SHA-256 | ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c | router_init.js |
| SHA-256 | 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96 | tanstack_runner.js |
| SHA-256 | 7c12d8614c624c70d6dd6fc2ee289332474abaa38f70ebe2cdef064923ca3a9b | @tanstack/setup package.json |
| Persistence | .claude/settings.json .claude/router_runtime.js .claude/setup.mjs | Claude Code hooks |
| Persistence | .vscode/tasks.json .vscode/setup.mjs | VS Code (runOn: folderOpen) |
| Network | filev2.getsession[.]org | Primary C2 domain |
| GitHub | 79ac49eedf774dd4b0cfa308722bc463cfe5885c | Malicious orphaned commit |
| Metadata | A Mini Shai-Hulud has Appeared | Attacker marker |
If any of these are found, treat the machine or CI runner as fully compromised. Rotate NPM tokens, GitHub PATs, OIDC federation grants, AWS credentials, Vault tokens, and Kubernetes service account tokens immediately. Security teams should also adopt a formal incident response playbook specifically designed for NPM ecosystem attacks.
Protecting Your Organization from Mini Shai-Hulud and NPM Supply Chain Worms
Mini Shai-Hulud is unlikely to be the last worm of its kind. For a detailed guide on long-term NPM supply chain defenses, including lockfile enforcement, SemVer range hardening, dependency cooldowns, and trusted publishing, see our companion post: Defending Against NPM Supply Chain Attacks: A Practical Guide.
ArmorCode helps security teams respond to NPM supply chain incidents in seconds. Anya, Findings saved views, and SBOM saved views are available now with no additional setup required.
See how Anya, ArmorCode’s agentic AI framework for enterprises can keep applications safe from supply chain attacks in this demo video.
References
