A recent supply chain attack orchestrated by the threat group TeamPCP has compromised packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI. This incident is part of the Mini Shai-Hulud campaign, which involves altering npm and PyPI packages to include malicious code. The modified packages contain an obfuscated JavaScript file, ‘router_init.js’, designed to gather environment data and deploy a credential stealer targeting cloud services, cryptocurrency wallets, and more.
How the Attack Was Executed
The attackers used Session Protocol infrastructure to evade detection, as the domain associated with this infrastructure is typically not blocked in enterprise environments. Data exfiltration occurs through the ‘filev2.getsession[.]org’ domain, and as a failsafe, data is also committed to repositories under the pseudo-author ‘[email protected]’ using stolen GitHub tokens. This strategy ensures persistence and re-execution through hooks in development environments like Claude Code and VS Code.
In addition, the attack installs a monitoring service for GitHub tokens and malicious workflows to serialize and exfiltrate repository secrets. TanStack identified that the breach originated from a GitHub Actions attack, using the ‘pull_request_target’ trigger and cache poisoning, without compromising npm tokens or publish workflows.
Impact on TanStack and Beyond
The worm exploits npm tokens set to bypass two-factor authentication, allowing it to spread to other packages by exchanging GitHub OIDC tokens for per-package publish tokens. TanStack’s ecosystem has been notably affected, with the incident assigned CVE-2026-45321, a critical severity rating. A total of 42 packages and 84 versions were impacted, with malicious versions published through hijacked release pipelines. Researchers note that this is the first instance of an npm worm with valid SLSA Build Level 3 provenance.
Besides TanStack, the campaign has also spread to packages from UiPath, DraftLab, and several others, affecting both npm and PyPI ecosystems. The malicious packages include ‘[email protected]’ and ‘[email protected]’, among others.
Analysis and Future Implications
Microsoft’s analysis revealed that the ‘mistralai’ package downloads a credential stealer designed to bypass Russian environments and potentially execute destructive commands in Israel or Iran. The ‘guardrails-ai’ package runs malicious code upon import, targeting Linux systems. These findings indicate the campaign’s ongoing expansion across search infrastructure, AI tools, and CI/CD ecosystems.
This attack underscores the vulnerabilities in supply chains and the need for enhanced security practices. Organizations must remain vigilant and implement robust protection measures to safeguard against such sophisticated threats.
