Feed
CriticalPublished 11 May 2026Updated 18 May 2026179 packages · 413 versions

TanStack + @uipath mini-Shai-Hulud compromise

Summary

On 2026-05-11 between 19:20 and 19:26 UTC, TeamPCP pushed malicious versions across @tanstack/*, @uipath/*, @mistralai/*, and many smaller scopes by chaining pull_request_target, GitHub Actions cache poisoning, and runtime OIDC-token extraction from a runner. Same Mini Shai-Hulud credential-stealer as the April SAP campaign. Final tally: 177 packages, 403 versions, >518M cumulative downloads. OpenAI confirmed two compromised employee devices and rotated platform code-signing certificates.

wormcredential-theftci-cd-compromisemaintainer-takeoverobfuscation
Threat actor
TeamPCP
Detected by
Wiz · Socket · Mend · OX Security
Also known as
Mini Shai-Hulud · TanStack burst
Ecosystems
npmPyPI
Packages tracked
179

What happened

Between 19:20 and 19:26 UTC on 2026-05-11, TeamPCP detonated the largest Mini Shai-Hulud burst to date: 177 unique packages across @tanstack/*, @uipath/*, @mistralai/*, @squawk/*, @tallyui/*, @mesadev/*, @cap-js/*, and dozens of smaller scopes pushed in a six-minute window. Mend / OX Security tallied 172 packages / 403 versions / >518M cumulative downloads after re-verification on 2026-05-18; Socket's affected-packages CSV (champjss/mini-shai-hulud-checker-20260512) and the per-package GHSA advisories were used to drive the final list.

The entry vector was pull_request_target cache poisoning. The attacker submitted a benign-looking PR to a TanStack repository, which triggered a workflow that ran on a runner with the repo's OIDC trust intact. By chaining a GitHub Actions cache write with a runtime memory extraction step, the attacker pulled the OIDC token from the Runner.Worker process, exchanged it for an npm publish token, and then iterated through every package the compromised maintainer could push to.

The payload is the same Bun-runtime credential stealer used in the SAP / @cap-js April wave: ~498KB obfuscated JS, PBKDF2+SHA-256 runtime string decryption, AWS IMDSv2 + GCP metadata + Azure managed identity scraping, Kubernetes service-account token theft, and direct HashiCorp Vault reads. Stolen registry tokens fed the worm: many of the affected scopes share no maintainers with TanStack, but their tokens were within reach once an OpenAI employee's laptop was compromised.

  • Wiz noted on 2026-05-13 that an initial bug in the @uipath/* and @mistralai/* payload rendered those versions non-functional; the packages were still yanked and remain in scope for lockfile audits.
  • 2026-05-18 re-verification against GHSA-g7cv-rxg3-hmpx (the full TanStack list), the TanStack postmortem refreshed 2026-05-15, and the Mend/OX Security tallies confirmed no new affected packages versus the 177 already in the database.
  • OpenAI publicly confirmed two employee devices were impacted and rotated macOS, Windows, iOS, and Android code-signing certificates.
  • Same Bun stealer pattern resurfaces in the 2026-05-19 @antv burst and the same-day durabletask PyPI compromise.

The campaign also seeded the next hop: GitHub CLI credentials harvested from a Nx Console maintainer's laptop during this wave were used a week later to push the malicious nrwl.angular-console 18.95.0 build to the VS Code Marketplace and Open VSX.

Affected packages (179)

  • npm@beproduct/nestjs-auth
    0.1.20.1.30.1.40.1.50.1.60.1.70.1.80.1.90.1.100.1.110.1.120.1.130.1.140.1.150.1.160.1.170.1.180.1.19
  • npm@cap-js/db-service
    2.10.1
  • npm@cap-js/postgres
    2.2.2
  • npm@cap-js/sqlite
    2.2.2
  • npm@dirigible-ai/sdk
    0.6.20.6.3
  • npm@draftauth/client
    0.2.10.2.2
  • npm@draftauth/core
    0.13.10.13.2
  • npm@draftlab/auth
    0.24.10.24.2
  • npm@draftlab/auth-router
    0.5.10.5.2
  • npm@draftlab/db
    0.16.10.16.2
  • npm@mesadev/rest
    0.28.3
  • npm@mesadev/saguaro
    0.4.22
  • npm@mesadev/sdk
    0.28.3
  • npm@mistralai/mistralai
    2.2.22.2.32.2.4
  • npm@mistralai/mistralai-azure
    1.7.11.7.21.7.3
  • npm@mistralai/mistralai-gcp
    1.7.11.7.21.7.3
  • npm@ml-toolkit-ts/preprocessing
    1.0.21.0.3
  • npm@ml-toolkit-ts/xgboost
    1.0.31.0.4
  • npm@opensearch-project/opensearch
    3.5.33.6.23.7.03.8.0
  • npm@squawk/airport-data
    0.7.40.7.50.7.60.7.70.7.8
  • npm@squawk/airports
    0.6.20.6.30.6.40.6.50.6.6
  • npm@squawk/airspace
    0.8.10.8.20.8.30.8.40.8.5
  • npm@squawk/airspace-data
    0.5.30.5.40.5.50.5.60.5.7
  • npm@squawk/airway-data
    0.5.40.5.50.5.60.5.70.5.8
  • npm@squawk/airways
    0.4.20.4.30.4.40.4.50.4.6
  • npm@squawk/fix-data
    0.6.40.6.50.6.60.6.70.6.8
  • npm@squawk/fixes
    0.3.20.3.30.3.40.3.50.3.6
  • npm@squawk/flight-math
    0.5.40.5.50.5.60.5.70.5.8
  • npm@squawk/flightplan
    0.5.20.5.30.5.40.5.50.5.6
  • npm@squawk/geo
    0.4.40.4.50.4.60.4.70.4.8
  • npm@squawk/icao-registry
    0.5.20.5.30.5.40.5.50.5.6
  • npm@squawk/icao-registry-data
    0.8.40.8.50.8.60.8.70.8.8
  • npm@squawk/mcp
    0.9.10.9.20.9.30.9.40.9.5
  • npm@squawk/navaid-data
    0.6.40.6.50.6.60.6.70.6.8
  • npm@squawk/navaids
    0.4.20.4.30.4.40.4.50.4.6
  • npm@squawk/notams
    0.3.60.3.70.3.80.3.90.3.10
  • npm@squawk/procedure-data
    0.7.30.7.40.7.50.7.60.7.7
  • npm@squawk/procedures
    0.5.20.5.30.5.40.5.50.5.6
  • npm@squawk/types
    0.8.10.8.20.8.30.8.40.8.5
  • npm@squawk/units
    0.4.30.4.40.4.50.4.60.4.7
  • npm@squawk/weather
    0.5.60.5.70.5.80.5.90.5.10
  • npm@supersurkhet/cli
    0.0.20.0.30.0.40.0.50.0.60.0.7
  • npm@supersurkhet/sdk
    0.0.20.0.30.0.40.0.50.0.60.0.7
  • npm@tallyui/components
    1.0.11.0.21.0.3
  • npm@tallyui/connector-medusa
    1.0.11.0.21.0.3
  • npm@tallyui/connector-shopify
    1.0.11.0.21.0.3
  • npm@tallyui/connector-vendure
    1.0.11.0.21.0.3
  • npm@tallyui/connector-woocommerce
    1.0.11.0.21.0.3
  • npm@tallyui/core
    0.2.10.2.20.2.3
  • npm@tallyui/database
    1.0.11.0.21.0.3
  • npm@tallyui/pos
    0.1.10.1.20.1.3
  • npm@tallyui/storage-sqlite
    0.2.10.2.20.2.3
  • npm@tallyui/theme
    0.2.10.2.20.2.3
  • npm@tanstack/arktype-adapter
    1.166.121.166.15
  • npm@tanstack/eslint-plugin-router
    1.161.91.161.12
  • npm@tanstack/eslint-plugin-start
    0.0.40.0.7
  • npm@tanstack/history
    1.161.91.161.12
  • npm@tanstack/nitro-v2-vite-plugin
    1.154.121.154.15
  • npm@tanstack/react-router
    1.169.51.169.8
  • npm@tanstack/react-router-devtools
    1.166.161.166.19
  • npm@tanstack/react-router-ssr-query
    1.166.151.166.18
  • npm@tanstack/react-start
    1.167.681.167.71
  • npm@tanstack/react-start-client
    1.166.511.166.54
  • npm@tanstack/react-start-rsc
    0.0.470.0.50
  • npm@tanstack/react-start-server
    1.166.551.166.58
  • npm@tanstack/router-cli
    1.166.461.166.49
  • npm@tanstack/router-core
    1.169.51.169.8
  • npm@tanstack/router-devtools
    1.166.161.166.19
  • npm@tanstack/router-devtools-core
    1.167.61.167.9
  • npm@tanstack/router-generator
    1.166.451.166.48
  • npm@tanstack/router-plugin
    1.167.381.167.41
  • npm@tanstack/router-ssr-query-core
    1.168.31.168.6
  • npm@tanstack/router-utils
    1.161.111.161.14
  • npm@tanstack/router-vite-plugin
    1.166.531.166.56
  • npm@tanstack/solid-router
    1.169.51.169.8
  • npm@tanstack/solid-router-devtools
    1.166.161.166.19
  • npm@tanstack/solid-router-ssr-query
    1.166.151.166.18
  • npm@tanstack/solid-start
    1.167.651.167.68
  • npm@tanstack/solid-start-client
    1.166.501.166.53
  • npm@tanstack/solid-start-server
    1.166.541.166.57
  • npm@tanstack/start-client-core
    1.168.51.168.8
  • npm@tanstack/start-fn-stubs
    1.161.91.161.12
  • npm@tanstack/start-plugin-core
    1.169.231.169.26
  • npm@tanstack/start-server-core
    1.167.331.167.36
  • npm@tanstack/start-static-server-functions
    1.166.441.166.47
  • npm@tanstack/start-storage-context
    1.166.381.166.41
  • npm@tanstack/valibot-adapter
    1.166.121.166.15
  • npm@tanstack/virtual-file-routes
    1.161.101.161.13
  • npm@tanstack/vue-router
    1.169.51.169.8
  • npm@tanstack/vue-router-devtools
    1.166.161.166.19
  • npm@tanstack/vue-router-ssr-query
    1.166.151.166.18
  • npm@tanstack/vue-start
    1.167.611.167.64
  • npm@tanstack/vue-start-client
    1.166.461.166.49
  • npm@tanstack/vue-start-server
    1.166.501.166.53
  • npm@tanstack/zod-adapter
    1.166.121.166.15
  • npm@taskflow-corp/cli
    0.1.240.1.250.1.260.1.270.1.280.1.29
  • npm@tolka/cli
    1.0.21.0.31.0.41.0.51.0.6
  • npm@uipath/access-policy-sdk
    0.3.1
  • npm@uipath/access-policy-tool
    0.3.1
  • npm@uipath/admin-tool
    0.1.1
  • npm@uipath/agent-sdk
    1.0.2
  • npm@uipath/agent-tool
    1.0.1
  • npm@uipath/agent.sdk
    0.0.18
  • npm@uipath/aops-policy-tool
    0.3.1
  • npm@uipath/ap-chat
    1.5.7
  • npm@uipath/api-workflow-tool
    1.0.1
  • npm@uipath/apollo-core
    5.9.2
  • npm@uipath/apollo-react
    4.24.5
  • npm@uipath/apollo-wind
    2.16.2
  • npm@uipath/auth
    1.0.1
  • npm@uipath/case-tool
    1.0.1
  • npm@uipath/cli
    1.0.1
  • npm@uipath/codedagent-tool
    1.0.1
  • npm@uipath/codedagents-tool
    0.1.12
  • npm@uipath/codedapp-tool
    1.0.1
  • npm@uipath/common
    1.0.1
  • npm@uipath/context-grounding-tool
    0.1.1
  • npm@uipath/data-fabric-tool
    1.0.2
  • npm@uipath/docsai-tool
    1.0.1
  • npm@uipath/filesystem
    1.0.1
  • npm@uipath/flow-tool
    1.0.2
  • npm@uipath/functions-tool
    1.0.1
  • npm@uipath/gov-tool
    0.3.1
  • npm@uipath/identity-tool
    0.1.1
  • npm@uipath/insights-sdk
    1.0.1
  • npm@uipath/insights-tool
    1.0.1
  • npm@uipath/integrationservice-sdk
    1.0.2
  • npm@uipath/integrationservice-tool
    1.0.2
  • npm@uipath/llmgw-tool
    1.0.1
  • npm@uipath/maestro-sdk
    1.0.1
  • npm@uipath/maestro-tool
    1.0.1
  • npm@uipath/orchestrator-tool
    1.0.1
  • npm@uipath/packager-tool-apiworkflow
    0.0.19
  • npm@uipath/packager-tool-bpmn
    0.0.9
  • npm@uipath/packager-tool-case
    0.0.9
  • npm@uipath/packager-tool-connector
    0.0.19
  • npm@uipath/packager-tool-flow
    0.0.19
  • npm@uipath/packager-tool-functions
    0.1.1
  • npm@uipath/packager-tool-webapp
    1.0.6
  • npm@uipath/packager-tool-workflowcompiler
    0.0.16
  • npm@uipath/packager-tool-workflowcompiler-browser
    0.0.34
  • npm@uipath/platform-tool
    1.0.1
  • npm@uipath/project-packager
    1.1.16
  • npm@uipath/resource-tool
    1.0.1
  • npm@uipath/resourcecatalog-tool
    0.1.1
  • npm@uipath/resources-tool
    0.1.11
  • npm@uipath/robot
    1.3.4
  • npm@uipath/rpa-legacy-tool
    1.0.1
  • npm@uipath/rpa-tool
    0.9.5
  • npm@uipath/solution-packager
    0.0.35
  • npm@uipath/solution-tool
    1.0.1
  • npm@uipath/solutionpackager-sdk
    1.0.11
  • npm@uipath/solutionpackager-tool-core
    0.0.34
  • npm@uipath/tasks-tool
    1.0.1
  • npm@uipath/telemetry
    0.0.7
  • npm@uipath/test-manager-tool
    1.0.2
  • npm@uipath/tool-workflowcompiler
    0.0.12
  • npm@uipath/traces-tool
    1.0.1
  • npm@uipath/ui-widgets-multi-file-upload
    1.0.1
  • npm@uipath/uipath-python-bridge
    1.0.1
  • npm@uipath/vertical-solutions-tool
    1.0.1
  • npm@uipath/vss
    0.1.6
  • npm@uipath/widget.sdk
    1.2.3
  • npmagentwork-cli
    0.1.40.1.5
  • npmcmux-agent-mcp
    0.1.30.1.40.1.50.1.60.1.70.1.8
  • npmcross-stitch
    1.1.31.1.41.1.51.1.61.1.7
  • npmgit-branch-selector
    1.3.31.3.41.3.51.3.61.3.7
  • npmgit-git-git
    1.0.81.0.91.0.101.0.111.0.12
  • npmguardrails-ai
    0.10.1
  • PyPIguardrails-ai
    0.10.1
  • npmintercom-client
    7.0.4
  • npmmbt
    1.2.48
  • npmmistralai
    2.4.6
  • PyPImistralai
    2.4.6
  • npmml-toolkit-ts
    1.0.41.0.5
  • npmnextmove-mcp
    0.1.30.1.40.1.50.1.60.1.7
  • npmsafe-action
    0.8.30.8.4
  • npmts-dna
    3.0.13.0.23.0.33.0.43.0.5
  • npmwot-api
    0.8.10.8.20.8.30.8.4

Impact

  • CI/CD credential theft: GitHub Actions OIDC, GitLab, CircleCI
  • Cloud secrets: AWS IMDSv2, GCP metadata, Azure managed identity
  • Kubernetes service account token theft
  • HashiCorp Vault credential extraction
  • npm/registry tokens for worm propagation

What to do

  1. 1Pin and reinstall: remove node_modules and the compromised versions
  2. 2Rotate ALL CI/CD secrets: npm tokens, GitHub OIDC trust, GitLab/CircleCI
  3. 3Rotate cloud credentials accessible from build runners
  4. 4Rotate Kubernetes service account tokens used in pipelines
  5. 5Audit Vault audit logs for unexpected reads during the exposure window
  6. 6Audit npm publish history for unexpected releases under your maintainers

References

npm-2026-05-shai-hulud-tanstack