OIDC Theft Enables Signed Malware in TanStack and Mistral

Over 170 packages across the npm and PyPI registries were compromised on May 11, 2026, in a supply chain attack that bypassed standard integrity checks. The campaign, attributed to the threat group TeamPCP and dubbed Mini Shai-Hulud, hijacked valid release pipelines to publish malicious versions of highly utilized developer tools. The Mini Shai-Hulud attack applied verifiable SLSA Build Level 3 provenance attestations to malicious payloads, making them indistinguishable from official releases. Affected packages represent over 518 million cumulative monthly downloads.

The Chained Workflow Attack Path

This campaign compromised the repositories directly. Attackers exploited the pull_request_target trigger in GitHub Actions by opening a pull request from a renamed fork. This action poisoned the GitHub Actions cache with a malicious pnpm store.

When legitimate maintainers merged the pull requests, the release workflow restored the poisoned cache. The malware extracted an OpenID Connect (OIDC) token directly from the runner’s process memory. Using these hijacked tokens, the attackers published malicious versions through the project’s own GitHub Actions release pipeline. This execution path demonstrates the vulnerability of CI/CD environments to targeted supply chain attacks.

Impact Scope

The attack targeted foundational frontend and AI tooling. TanStack suffered 84 malicious versions across 42 packages, including @tanstack/react-router. Mistral AI saw its official PyPI package, mistralai, modified to download secondary payloads. Other targeted projects include UiPath, OpenSearch, Guardrails AI, @squawk, and @tallyui.

Target Ecosystem	Registry	Notable Packages	Malicious Modification
TanStack	npm	@tanstack/react-router	84 malicious versions across 42 packages
Mistral AI	PyPI	mistralai	Modified to download secondary payloads
OpenSearch	PyPI / npm	OpenSearch Project	Secret exfiltration

Payload Execution and Data Exfiltration

The primary payload is a 2.3MB obfuscated JavaScript file named router_init.js. Once executed, it profiles the local environment and steals credentials for AWS, GCP, Azure, Kubernetes, GitHub, and npm. The malware exfiltrates stolen data to git-tanstack[.]com or the decentralized Session messenger network. It also utilizes dead drops, uploading encrypted secrets to new repositories on the victim’s GitHub account labeled "Shai-Hulud: Here We Go Again". If you monitor AI applications or cloud infrastructure, sudden repository creation matching this string is a definitive indicator of compromise.

The malware contains aggressive destructive logic. A built-in token monitor script checks the validity of stolen credentials. If it detects that a token has been revoked, the script executes rm -rf ~/ on the victim’s machine. Certain variants also include a 1-in-6 probability of a geofenced wipe targeting systems located in Israel or Iran.

Remediation Protocol

The TanStack team published a post-mortem for CVE-2026-45321, which carries a CVSS score of 9.6. Socket, OX Security, and StepSecurity have released indicators of compromise to track the worm’s lateral spread.

If your systems pulled updates for TanStack, Mistral AI, or other affected packages on May 11 or 12, pin your dependencies to known-good versions released before May 11, 2026 at 19:20 UTC. Because the malware achieves persistence and actively retaliates against secret revocation, you must completely wipe and reinstall affected developer machines before rotating your CI/CD secrets and cloud access keys.