Mini Shai-Hulud Worm — 170+ npm and PyPI Packages Compromised in Self-Replicating AI Supply Chain Attack

AI relevance: The worm persists inside AI coding tool configuration files (.claude/settings.json, .vscode/setup.mjs) and uses stolen OIDC tokens from CI runners to auto-publish malicious versions of AI/ML libraries including Mistral AI and Guardrails AI packages.

What Happened

• TeamPCP, a cross-ecosystem supply chain criminal group, deployed "Mini Shai-Hulud" — a self-propagating worm targeting npm, PyPI, and Composer registries starting late April 2026.
• Over 170 packages compromised across npm and PyPI, with 400+ malicious artifacts reported. Affected libraries include TanStack (hundreds of packages), Mistral AI, OpenSearch (1.3M weekly downloads), UiPath, and Guardrails AI.
• The worm hijacks GitHub Actions workflows via pull_request_target triggers, scrapes short-lived OIDC tokens from CI runner memory, and uses them to publish attacker-controlled package versions with valid SLSA Build Level 3 attestations — bypassing 2FA and standard detection.
• Payloads are heavily obfuscated (PBKDF2 with 200,000 iterations, AES-256-GCM, RSA-4096 key wrapping) and smuggle the Bun runtime as a living-off-the-land binary to evade Node.js-only detection.
• Credential theft targets GitHub PATs, npm tokens, AWS/GCP/Azure keys, Kubernetes service accounts, HashiCorp Vault tokens, and SSH keys across 100+ file paths.
• Exfiltration uses encrypted JSON committed to attacker-controlled GitHub repos with Dune-themed names ("kralizec-phibian-314") and dead-drop commits with encoded tokens.
• Dead-man's switch: systemd/LaunchAgent daemons check for token revocation every 60 seconds — if a 40x error is returned, the worm runs rm -rf ~/ after a 24-hour grace period. Geofenced to skip Russian-language systems.
• FortiGuard Labs confirmed the worm bridges from CI/CD into production cloud: in May 2026, investigators traced a Jenkins runner compromise to full AWS admin escalation and Amazon Redshift data exfiltration.
• The NHS (UK) issued cyber alert CC-4781; TanStack withdrew all affected versions and scrubbed GitHub Actions caches.

Why It Matters

This is one of the first documented wormable, fully autonomous supply chain attacks that requires zero human intervention after initial seeding. The persistence mechanism inside AI coding tool configs means developers who use Claude Code, Cursor, or VS Code AI extensions may unknowingly load malicious payloads on every session start. The SLSA attestation abuse is particularly dangerous — security tools that verify build provenance will see legitimate-looking signatures on poisoned artifacts.

What To Do

• Audit lock files (package-lock.json, yarn.lock, poetry.lock) for packages updated after April 29, 2026. Check against GHSA-g7cv-rxg3-hmpx and CVE-2026-45321.
• Rotate all GitHub PATs, npm tokens, cloud provider keys (AWS/GCP/Azure), Vault tokens, and Kubernetes secrets. Assume exposure if any affected packages were in your dependency tree.
• Search for persistence files: .claude/settings.json, .claude/router_runtime.js, .vscode/setup.mjs, gh-token-monitor.sh, com.user.gh-token-monitor.plist.
• Do not revoke tokens without isolating machines first — the dead-man's switch will wipe the filesystem. Deploy canary credentials and monitor for wipe scripts.
• Reprovision CI/CD runners from clean images; assume all recent build artifacts are compromised.

Sources

• QualeySec — Mini Shai-Hulud Worm: 170+ npm & PyPI Packages Compromised
• FortiGuard Labs — From CI/CD to Cloud Data: How Shai Hulud Persistence Leads to Redshift Breach
• NHS Cyber Alert CC-4781