Mini Shai-Hulud — Self-Spreading Supply Chain Worm Hits 169 npm Packages, Mistral AI and UiPath

AI relevance: The Mini Shai-Hulud worm now compromises @mistralai and @uipath npm namespaces — packages used in billions of weekly AI/LLM API calls and enterprise RPA pipelines — with malware that executes on import and self-propagates via stolen CI/CD credentials.

What happened

• On May 11, 2026 at 19:20 UTC, attackers used a chained GitHub Actions attack (pull_request_target "Pwn Request" + cache poisoning + OIDC token extraction) to compromise the TanStack repository and publish 84 malicious versions across 42 @tanstack/* packages.
• Within 8.5 hours, the campaign escalated to 169 npm package names and 373 malicious package-version entries.
• Compromised namespaces include @tanstack (83 versions), @squawk (87 versions), @uipath (66 versions), @mistralai, @tallyui, @beproduct, @opensearch-project, and unscoped packages including cmux-agent-mcp and agentwork-cli.
• PyPI packages guardrails-ai and mistralai are now also compromised — executing malicious code on import, not on install.

The attack chain

• Stage 1 — OIDC token theft: A malicious GitHub Actions workflow step extracts the runner's OIDC token from memory/environment variables, bypassing the need for long-lived npm tokens. The attacker mints a new npm publish token directly.
• Stage 2 — Malicious delivery: Compromised packages ship a 2.3 MB heavily obfuscated router_init.js payload (javascript-obfuscator with string-array rotation and control-flow flattening) plus an optional dependency pointing to a GitHub-hosted @tanstack/setup with a prepare lifecycle script that auto-executes the payload.
• Stage 3 — Credential harvesting: The implant fingerprints the environment (GitHub Actions, AWS, Kubernetes, Vault), harvests GitHub tokens, npm tokens, AWS keys, Kubernetes service accounts, Vault tokens, SSH keys, and cloud config files. Exfiltration uses a P2P Session network (filev2.getsession.org).
• Stage 4 — Self-propagation: Using stolen npm OIDC tokens, the worm enumerates packages the victim can publish to, injects the malicious dependency, bumps the version, and republishes — autonomously, under the stolen identity.

Persistence hooks

• Writes self-copies to .claude/router_runtime.js (Claude Code hooks).
• Injects into .vscode/tasks.json for VS Code task auto-run.
• Configures settings.json hooks to re-execute on future Claude Code events.

Why it matters

• @mistralai packages are used in billions of weekly API calls for LLM inference, embeddings, and function calling. Any developer or CI environment importing these packages ingests the payload.
• @uipath packages run in enterprise RPA build systems with access to deployment secrets, Kubernetes service accounts, and cloud credentials.
• PyPI guardrails-ai executes on import — no wheel build, no setup hook. The moment Python code imports guardrails, it downloads a remote .pyz file and runs it.
• This is a self-spreading, autonomous supply-chain worm — not a targeted incident. It will continue replicating until credentials are revoked.

What to do

• Audit all npm and PyPI dependencies for the affected packages and versions listed by Lyrie Research.
• Revoke all npm publish tokens, GitHub Actions OIDC tokens, and registry credentials for affected scopes.
• Scan developer machines and CI runners for .claude/router_runtime.js, modified .vscode/tasks.json, and the obfuscated router_init.js payload.
• Review GitHub Actions workflows for unauthorized pull_request_target triggers and cache poisoning.
• Pin dependency versions and use lockfiles with integrity hashes — never float @mistralai, @uipath, or guardrails-ai without verification.

Sources

• Lyrie Research — Mini Shai-Hulud escalation report
• GitHub Advisory GHSA-6rmh-7xcm-cpxj (PraisonAI, related rapid-exploitation context)