TanStack + @uipath mini-Shai-Hulud compromise
On 2026-05-11 between 19:20 and 19:26 UTC, TeamPCP pushed malicious versions across @tanstack/*, @uipath/*, @mistralai/*, and many smaller scopes by chaining pull_request_target, GitHub Actions cache poisoning, and runtime OIDC-token extraction from a runner. Same Mini Shai-Hulud credential-stealer as the April SAP campaign. Final tally: 177 packages, 403 versions, >518M cumulative downloads. OpenAI confirmed two compromised employee devices and rotated platform code-signing certificates.
- Threat actor
- TeamPCP
- Detected by
- Wiz · Socket · Mend · OX Security
- Also known as
- Mini Shai-Hulud · TanStack burst
- Ecosystems
- npmPyPI
- Packages tracked
- 179
What happened
Between 19:20 and 19:26 UTC on 2026-05-11, TeamPCP detonated the largest Mini Shai-Hulud burst to date: 177 unique packages across @tanstack/*, @uipath/*, @mistralai/*, @squawk/*, @tallyui/*, @mesadev/*, @cap-js/*, and dozens of smaller scopes pushed in a six-minute window. Mend / OX Security tallied 172 packages / 403 versions / >518M cumulative downloads after re-verification on 2026-05-18; Socket's affected-packages CSV (champjss/mini-shai-hulud-checker-20260512) and the per-package GHSA advisories were used to drive the final list.
The entry vector was pull_request_target cache poisoning. The attacker submitted a benign-looking PR to a TanStack repository, which triggered a workflow that ran on a runner with the repo's OIDC trust intact. By chaining a GitHub Actions cache write with a runtime memory extraction step, the attacker pulled the OIDC token from the Runner.Worker process, exchanged it for an npm publish token, and then iterated through every package the compromised maintainer could push to.
The payload is the same Bun-runtime credential stealer used in the SAP / @cap-js April wave: ~498KB obfuscated JS, PBKDF2+SHA-256 runtime string decryption, AWS IMDSv2 + GCP metadata + Azure managed identity scraping, Kubernetes service-account token theft, and direct HashiCorp Vault reads. Stolen registry tokens fed the worm: many of the affected scopes share no maintainers with TanStack, but their tokens were within reach once an OpenAI employee's laptop was compromised.
- Wiz noted on 2026-05-13 that an initial bug in the
@uipath/*and@mistralai/*payload rendered those versions non-functional; the packages were still yanked and remain in scope for lockfile audits. - 2026-05-18 re-verification against
GHSA-g7cv-rxg3-hmpx(the full TanStack list), the TanStack postmortem refreshed 2026-05-15, and the Mend/OX Security tallies confirmed no new affected packages versus the 177 already in the database. - OpenAI publicly confirmed two employee devices were impacted and rotated macOS, Windows, iOS, and Android code-signing certificates.
- Same Bun stealer pattern resurfaces in the 2026-05-19
@antvburst and the same-daydurabletaskPyPI compromise.
The campaign also seeded the next hop: GitHub CLI credentials harvested from a Nx Console maintainer's laptop during this wave were used a week later to push the malicious nrwl.angular-console 18.95.0 build to the VS Code Marketplace and Open VSX.
Affected packages (179)
- npm
@beproduct/nestjs-auth0.1.20.1.30.1.40.1.50.1.60.1.70.1.80.1.90.1.100.1.110.1.120.1.130.1.140.1.150.1.160.1.170.1.180.1.19 - npm
@cap-js/db-service2.10.1 - npm
@cap-js/postgres2.2.2 - npm
@cap-js/sqlite2.2.2 - npm
@dirigible-ai/sdk0.6.20.6.3 - npm
@draftauth/client0.2.10.2.2 - npm
@draftauth/core0.13.10.13.2 - npm
@draftlab/auth0.24.10.24.2 - npm
@draftlab/auth-router0.5.10.5.2 - npm
@draftlab/db0.16.10.16.2 - npm
@mesadev/rest0.28.3 - npm
@mesadev/saguaro0.4.22 - npm
@mesadev/sdk0.28.3 - npm
@mistralai/mistralai2.2.22.2.32.2.4 - npm
@mistralai/mistralai-azure1.7.11.7.21.7.3 - npm
@mistralai/mistralai-gcp1.7.11.7.21.7.3 - npm
@ml-toolkit-ts/preprocessing1.0.21.0.3 - npm
@ml-toolkit-ts/xgboost1.0.31.0.4 - npm
@opensearch-project/opensearch3.5.33.6.23.7.03.8.0 - npm
@squawk/airport-data0.7.40.7.50.7.60.7.70.7.8 - npm
@squawk/airports0.6.20.6.30.6.40.6.50.6.6 - npm
@squawk/airspace0.8.10.8.20.8.30.8.40.8.5 - npm
@squawk/airspace-data0.5.30.5.40.5.50.5.60.5.7 - npm
@squawk/airway-data0.5.40.5.50.5.60.5.70.5.8 - npm
@squawk/airways0.4.20.4.30.4.40.4.50.4.6 - npm
@squawk/fix-data0.6.40.6.50.6.60.6.70.6.8 - npm
@squawk/fixes0.3.20.3.30.3.40.3.50.3.6 - npm
@squawk/flight-math0.5.40.5.50.5.60.5.70.5.8 - npm
@squawk/flightplan0.5.20.5.30.5.40.5.50.5.6 - npm
@squawk/geo0.4.40.4.50.4.60.4.70.4.8 - npm
@squawk/icao-registry0.5.20.5.30.5.40.5.50.5.6 - npm
@squawk/icao-registry-data0.8.40.8.50.8.60.8.70.8.8 - npm
@squawk/mcp0.9.10.9.20.9.30.9.40.9.5 - npm
@squawk/navaid-data0.6.40.6.50.6.60.6.70.6.8 - npm
@squawk/navaids0.4.20.4.30.4.40.4.50.4.6 - npm
@squawk/notams0.3.60.3.70.3.80.3.90.3.10 - npm
@squawk/procedure-data0.7.30.7.40.7.50.7.60.7.7 - npm
@squawk/procedures0.5.20.5.30.5.40.5.50.5.6 - npm
@squawk/types0.8.10.8.20.8.30.8.40.8.5 - npm
@squawk/units0.4.30.4.40.4.50.4.60.4.7 - npm
@squawk/weather0.5.60.5.70.5.80.5.90.5.10 - npm
@supersurkhet/cli0.0.20.0.30.0.40.0.50.0.60.0.7 - npm
@supersurkhet/sdk0.0.20.0.30.0.40.0.50.0.60.0.7 - npm
@tallyui/components1.0.11.0.21.0.3 - npm
@tallyui/connector-medusa1.0.11.0.21.0.3 - npm
@tallyui/connector-shopify1.0.11.0.21.0.3 - npm
@tallyui/connector-vendure1.0.11.0.21.0.3 - npm
@tallyui/connector-woocommerce1.0.11.0.21.0.3 - npm
@tallyui/core0.2.10.2.20.2.3 - npm
@tallyui/database1.0.11.0.21.0.3 - npm
@tallyui/pos0.1.10.1.20.1.3 - npm
@tallyui/storage-sqlite0.2.10.2.20.2.3 - npm
@tallyui/theme0.2.10.2.20.2.3 - npm
@tanstack/arktype-adapter1.166.121.166.15 - npm
@tanstack/eslint-plugin-router1.161.91.161.12 - npm
@tanstack/eslint-plugin-start0.0.40.0.7 - npm
@tanstack/history1.161.91.161.12 - npm
@tanstack/nitro-v2-vite-plugin1.154.121.154.15 - npm
@tanstack/react-router1.169.51.169.8 - npm
@tanstack/react-router-devtools1.166.161.166.19 - npm
@tanstack/react-router-ssr-query1.166.151.166.18 - npm
@tanstack/react-start1.167.681.167.71 - npm
@tanstack/react-start-client1.166.511.166.54 - npm
@tanstack/react-start-rsc0.0.470.0.50 - npm
@tanstack/react-start-server1.166.551.166.58 - npm
@tanstack/router-cli1.166.461.166.49 - npm
@tanstack/router-core1.169.51.169.8 - npm
@tanstack/router-devtools1.166.161.166.19 - npm
@tanstack/router-devtools-core1.167.61.167.9 - npm
@tanstack/router-generator1.166.451.166.48 - npm
@tanstack/router-plugin1.167.381.167.41 - npm
@tanstack/router-ssr-query-core1.168.31.168.6 - npm
@tanstack/router-utils1.161.111.161.14 - npm
@tanstack/router-vite-plugin1.166.531.166.56 - npm
@tanstack/solid-router1.169.51.169.8 - npm
@tanstack/solid-router-devtools1.166.161.166.19 - npm
@tanstack/solid-router-ssr-query1.166.151.166.18 - npm
@tanstack/solid-start1.167.651.167.68 - npm
@tanstack/solid-start-client1.166.501.166.53 - npm
@tanstack/solid-start-server1.166.541.166.57 - npm
@tanstack/start-client-core1.168.51.168.8 - npm
@tanstack/start-fn-stubs1.161.91.161.12 - npm
@tanstack/start-plugin-core1.169.231.169.26 - npm
@tanstack/start-server-core1.167.331.167.36 - npm
@tanstack/start-static-server-functions1.166.441.166.47 - npm
@tanstack/start-storage-context1.166.381.166.41 - npm
@tanstack/valibot-adapter1.166.121.166.15 - npm
@tanstack/virtual-file-routes1.161.101.161.13 - npm
@tanstack/vue-router1.169.51.169.8 - npm
@tanstack/vue-router-devtools1.166.161.166.19 - npm
@tanstack/vue-router-ssr-query1.166.151.166.18 - npm
@tanstack/vue-start1.167.611.167.64 - npm
@tanstack/vue-start-client1.166.461.166.49 - npm
@tanstack/vue-start-server1.166.501.166.53 - npm
@tanstack/zod-adapter1.166.121.166.15 - npm
@taskflow-corp/cli0.1.240.1.250.1.260.1.270.1.280.1.29 - npm
@tolka/cli1.0.21.0.31.0.41.0.51.0.6 - npm
@uipath/access-policy-sdk0.3.1 - npm
@uipath/access-policy-tool0.3.1 - npm
@uipath/admin-tool0.1.1 - npm
@uipath/agent-sdk1.0.2 - npm
@uipath/agent-tool1.0.1 - npm
@uipath/agent.sdk0.0.18 - npm
@uipath/aops-policy-tool0.3.1 - npm
@uipath/ap-chat1.5.7 - npm
@uipath/api-workflow-tool1.0.1 - npm
@uipath/apollo-core5.9.2 - npm
@uipath/apollo-react4.24.5 - npm
@uipath/apollo-wind2.16.2 - npm
@uipath/auth1.0.1 - npm
@uipath/case-tool1.0.1 - npm
@uipath/cli1.0.1 - npm
@uipath/codedagent-tool1.0.1 - npm
@uipath/codedagents-tool0.1.12 - npm
@uipath/codedapp-tool1.0.1 - npm
@uipath/common1.0.1 - npm
@uipath/context-grounding-tool0.1.1 - npm
@uipath/data-fabric-tool1.0.2 - npm
@uipath/docsai-tool1.0.1 - npm
@uipath/filesystem1.0.1 - npm
@uipath/flow-tool1.0.2 - npm
@uipath/functions-tool1.0.1 - npm
@uipath/gov-tool0.3.1 - npm
@uipath/identity-tool0.1.1 - npm
@uipath/insights-sdk1.0.1 - npm
@uipath/insights-tool1.0.1 - npm
@uipath/integrationservice-sdk1.0.2 - npm
@uipath/integrationservice-tool1.0.2 - npm
@uipath/llmgw-tool1.0.1 - npm
@uipath/maestro-sdk1.0.1 - npm
@uipath/maestro-tool1.0.1 - npm
@uipath/orchestrator-tool1.0.1 - npm
@uipath/packager-tool-apiworkflow0.0.19 - npm
@uipath/packager-tool-bpmn0.0.9 - npm
@uipath/packager-tool-case0.0.9 - npm
@uipath/packager-tool-connector0.0.19 - npm
@uipath/packager-tool-flow0.0.19 - npm
@uipath/packager-tool-functions0.1.1 - npm
@uipath/packager-tool-webapp1.0.6 - npm
@uipath/packager-tool-workflowcompiler0.0.16 - npm
@uipath/packager-tool-workflowcompiler-browser0.0.34 - npm
@uipath/platform-tool1.0.1 - npm
@uipath/project-packager1.1.16 - npm
@uipath/resource-tool1.0.1 - npm
@uipath/resourcecatalog-tool0.1.1 - npm
@uipath/resources-tool0.1.11 - npm
@uipath/robot1.3.4 - npm
@uipath/rpa-legacy-tool1.0.1 - npm
@uipath/rpa-tool0.9.5 - npm
@uipath/solution-packager0.0.35 - npm
@uipath/solution-tool1.0.1 - npm
@uipath/solutionpackager-sdk1.0.11 - npm
@uipath/solutionpackager-tool-core0.0.34 - npm
@uipath/tasks-tool1.0.1 - npm
@uipath/telemetry0.0.7 - npm
@uipath/test-manager-tool1.0.2 - npm
@uipath/tool-workflowcompiler0.0.12 - npm
@uipath/traces-tool1.0.1 - npm
@uipath/ui-widgets-multi-file-upload1.0.1 - npm
@uipath/uipath-python-bridge1.0.1 - npm
@uipath/vertical-solutions-tool1.0.1 - npm
@uipath/vss0.1.6 - npm
@uipath/widget.sdk1.2.3 - npm
agentwork-cli0.1.40.1.5 - npm
cmux-agent-mcp0.1.30.1.40.1.50.1.60.1.70.1.8 - npm
cross-stitch1.1.31.1.41.1.51.1.61.1.7 - npm
git-branch-selector1.3.31.3.41.3.51.3.61.3.7 - npm
git-git-git1.0.81.0.91.0.101.0.111.0.12 - npm
guardrails-ai0.10.1 - PyPI
guardrails-ai0.10.1 - npm
intercom-client7.0.4 - npm
mbt1.2.48 - npm
mistralai2.4.6 - PyPI
mistralai2.4.6 - npm
ml-toolkit-ts1.0.41.0.5 - npm
nextmove-mcp0.1.30.1.40.1.50.1.60.1.7 - npm
safe-action0.8.30.8.4 - npm
ts-dna3.0.13.0.23.0.33.0.43.0.5 - npm
wot-api0.8.10.8.20.8.30.8.4
Impact
- CI/CD credential theft: GitHub Actions OIDC, GitLab, CircleCI
- Cloud secrets: AWS IMDSv2, GCP metadata, Azure managed identity
- Kubernetes service account token theft
- HashiCorp Vault credential extraction
- npm/registry tokens for worm propagation
What to do
- 1Pin and reinstall: remove
node_modulesand the compromised versions - 2Rotate ALL CI/CD secrets: npm tokens, GitHub OIDC trust, GitLab/CircleCI
- 3Rotate cloud credentials accessible from build runners
- 4Rotate Kubernetes service account tokens used in pipelines
- 5Audit Vault audit logs for unexpected reads during the exposure window
- 6Audit npm publish history for unexpected releases under your maintainers
References
- WizMini Shai-Hulud strikes again: TanStack and more npm packages compromisedwiz.io
- GitHubGHSA-g7cv-rxg3-hmpx: TanStack supply chain advisorygithub.com
- OpenAIOur response to the TanStack npm supply chain attackopenai.com
- SocketTanStack npm packages compromised in ongoing Mini Shai-Hulud supply-chain attacksocket.dev