Mini Shai-Hulud — Malware Persists via Claude Code Hooks and VS Code Auto-run Tasks

AI relevance: The Mini Shai-Hulud supply-chain malware now modifies Claude Code hooks and VS Code auto-run tasks to establish persistence — marking the first known campaign targeting AI coding agent configuration files for survival after package removal.

What happened

• The Mini Shai-Hulud malware, deployed across the TeamPCP supply-chain campaign targeting npm and PyPI packages, establishes persistence on infected developer systems by modifying Claude Code hooks and VS Code auto-run tasks.
• This persistence mechanism allows the malware to survive package removal — even after developers uninstall the trojanized packages, the malicious hooks continue executing on every agent run.
• OpenAI confirmed that two employee devices were compromised through the TanStack attack wave, with limited credentials stolen from internal source code repositories.
• OpenAI is rotating code-signing certificates for macOS, Windows, iOS, and Android products as a precaution; macOS users must update before June 12, 2026 or applications may fail to launch.
• The malware's primary objective is credential theft: GitHub tokens, npm publish tokens, AWS credentials, Kubernetes secrets, SSH keys, and .env files.
• Attackers abused weaknesses in GitHub Actions workflows and CI/CD configurations to execute malicious code, extract tokens from memory, and publish trojanized packages through legitimate release pipelines.
• The campaign also spread to other projects by using stolen credentials to compromise maintainer accounts, inject payloads into package tarballs, and publish new trojanized versions.

Why it matters

• Targeting Claude Code hooks and VS Code auto-run tasks is the first known instance of malware leveraging AI coding agent configuration for persistence — a novel technique that bypasses traditional persistence detection.
• Developer machines running AI coding agents (Claude Code, Codex, Cursor) are now high-value targets because they hold broad access to code repos, cloud credentials, and model API keys.
• The OpenAI breach confirms that even well-resourced AI companies with mature security practices are vulnerable to this supply-chain vector.
• The certificate rotation affecting macOS OpenAI apps demonstrates cascading operational impact from a single npm package compromise.

What to do

• Check Claude Code hook files (e.g., .claude/ config directories) for unexpected modifications or unknown hook scripts.
• Review VS Code tasks.json and auto-run configurations for unfamiliar commands added during the May 14–19 infection window.
• Rotate all credentials on developer machines that installed compromised npm/PyPI packages — even after removing the packages, hooks may persist.
• macOS OpenAI desktop app users: update before June 12, 2026 to avoid launch failures from certificate rotation.
• Implement package integrity verification in CI/CD pipelines and enable npm provenance checks to detect unauthorized package publishes.

Sources:

• BleepingComputer — OpenAI confirms security breach in TanStack supply chain attack
• OpenAI — Our response to the TanStack npm supply chain attack
• TechCrunch — Hackers compromised dozens of popular open source packages