TL;DR
- On May 11, 2026, threat actor TeamPCP launched a coordinated supply chain attack compromising over 170 npm and PyPI packages—including TanStack, Mistral AI, and OpenSearch ecosystems.
- The worm, dubbed “Mini Shai Hulud,” hijacks GitHub Actions workflows to forge valid publish tokens, then deploys a credential stealer targeting AWS IAM keys, GitHub Personal Access Tokens, HashiCorp Vault tokens, and Kubernetes secrets—and injects persistence hooks into Claude Code and VS Code so it survives reboots.
- If you use any of the affected packages, read on for IOCs, remediation steps, and what to do right now.
What happened
On May 11, 2026, a coordinated supply chain attack linked to threat actor TeamPCP compromised over 170 npm and PyPI packages, including popular ecosystems like TanStack, Mistral AI, and OpenSearch. The worm, dubbed “Mini Shai Hulud,” uses a variety of infection vectors:
- Workflow hijacking: It abuses GitHub Actions “pull_request_target” triggers and OIDC token extraction to “mint” valid publish tokens, allowing it to push malicious updates with valid SLSA Build Level 3 provenance attestations.
- Payload: Compromised versions contain an obfuscated JavaScript file (router_init.js or setup.mjs) that profiles the environment and launches a modular credential stealer.
- Self-propagation: The malware attempts to locate npm tokens with 2FA bypasses to infect other packages published by the same maintainer. It also injects persistence hooks into Claude Code and VS Code settings to survive reboots and re-execute on IDE launch.
Why it matters & next steps
The worm is designed for lateral movement; once it infects a developer’s environment, it attempts to steal AWS IAM credentials, GitHub Personal Access Tokens, HashiCorp Vault tokens, and Kubernetes secrets to compromise entire organizational infrastructures. We recommend that organizations take the necessary steps to identify potentially impacted systems and remediate the threat as outlined below.
Recommendations:
- Audit & cleanup: Check for the presence of router_init.js in node_modules or suspicious persistence hooks in .vscode/tasks.json and ~/.claude/settings.json.
- Containment: Disable any unauthorized system services (e.g., gh-token-monitor.service) before rotating credentials.
- Credential rotation: If a compromise is suspected, immediately rotate GitHub Personal Access Tokens, npm publish tokens, AWS access keys, and HashiCorp Vault tokens.
- Network blocking: Implement DNS-level blocking for api.masscan.cloud.
- Pin dependencies: Use lockfiles and consider pinning dependencies to specific, verified hashes.
Resources
Threat intelligence
The malicious payload is often found in files named router_init.js, setup.mjs, or transformers.pyz. It exfiltrates data using the decentralized Session Protocol (getsession.org) to evade traditional DNS-based blocking.
IOCs
- Domains: filev2.getsession[.]org, api.masscan[.]cloud, git-tanstack[.]com
- File names: router_init.js, setup.mjs, transformers.pyz
- Malicious hash (router_init.js): ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c
- IP address: 83[.]142[.]209[.]194
- Author alias: claude@users.noreply.github.com (used for unauthorized commits)
References
