In the smoky backrooms of the digital empire, a worm named Mini Shai-Hulud crawled from the shadows of npm like a mischievous demon in a lab coat, promising miracles and delivering a farce of broken builds and sleepless administrators. The machine, swaddled in promises, whispered about progress while tugging at the sleeves of inevitability.
SlowMist, that most sober of blockchain sheriffs, fires a critical warning into the night: wallets tremble, cloud credentials blush, and the very air of the cloud seems to hum with conspiratorial laughter. A city-wide alarm bell, if you will, for a world that forgot to close its door to the devil when it opened a repository.
TeamPCP’s attribution is a trumpet call in a hall of echoing corridors, signaling a grand escalation in supply chain theater. One moment you’re sipping coffee, the next you’re watching a puppeteer rearrange the strings of the entire software stage.
SlowMist has issued a critical threat intelligence alert on “Mini Shai-Hulud,” a self-propagating npm worm that has compromised over 169 JavaScript packages – including the venerable pillars from TanStack, UiPath, Mistral AI, and DraftLab – to pilfer cryptocurrency wallets, cloud credentials, and CI/CD secrets at scale.
The alert, christened with severity “Critical” under the identifier SM-2026-561840, appeared on May 12 alongside a rogues’ gallery of indicators: malicious IP addresses, domains (git-tanstack[.]com, seed1[.]getsession[.]org), and a sextet of compromised package artifacts across the @tanstack, @uipath, @mistralai, @squawk, and @draftlab namespaces.
🚨 MistEye TI Alert 🚨
MistEye has detected a highly sophisticated npm worm, “Mini Shai-Hulud,” spreading through trusted developer projects like TanStack, UiPath, and DraftLab. The attackers hijacked GitHub credentials to publish malicious, yet seemingly legitimate, package…
– SlowMist (@SlowMist_Team) May 12, 2026
The attack bears the mark of TeamPCP, a troupe of malefactors who have been escalating their supply chain theatrics since September 2025 – previously toying with Aqua Security’s Trivy vulnerability scanner in March 2026 and the Bitwarden CLI npm package in April 2026.
How the Worm Works
Unlike the old rascals of typosquatting who mislabel a package and hope for a gullible heart, Mini Shai-Hulud pirouettes through the legitimate build pipeline itself. The attack chain, sketched by StepSecurity, Socket, Wiz, and Snyk, unfurls a three-step vulnerability in GitHub Actions.
First, the saboteur forged a fork of TanStack/router on May 10 under the alias “voicproducoes,” renaming it to dodge the fork-list searchers, and opened a pull request that triggered a pull_request_target workflow – a GitHub Actions spellbook that grants base-repository powers even to forked PRs – and used it to poison the shared GitHub Actions cache with a malicious pnpm dependency store.
When a legitimate maintainer PR was merged the next day, the release workflow dutifully restored the poisoned cache. The malignant code then siphoned OIDC tokens directly from the GitHub Actions runner’s memory and used them to publish malicious package versions through the project’s own release pipeline.
The result: malignant packages published under the real TanStack namespace, from the real build infrastructure, with real cryptographic attestations. A masterstroke of deceit that makes you nostalgic for the days when fraud wore a balaclava and not a badge.
First Npm Worm With Valid SLSA Provenance
In a move security minds are calling unprecedented, the compromised packages carry valid SLSA Build Level 3 provenance attestations – cryptographic certificates born of Sigstore meant to verify that a package sprang from a trusted source. Automated scanners, dutiful as ever, would have embraced them as trustworthy if only trust itself could be trusted.
“SLSA provenance confirms which pipeline built the package – not whether that pipeline behaved honestly,” notes Snyk. The distinction, alas, is the hinge upon which trust pivots: if the build pipeline itself is compromised, every downstream check becomes a quiet silencer.
This stands as the first documented npm supply chain assault to deliver legitimately attested malicious packages – a lamentable milestone in the museum of provenance verification.
Crypto Wallets: A Primary Target
The worm’s payload – a heavily obfuscated 2.3 MB JavaScript file masquerading as router_init.js – awakens under the Bun runtime to elude Node.js guardians. Once awake, it greedily harvests secrets from more than a hundred file paths.
Cryptocurrency assets form the principal chorus. The malware hunts wallet files and keys for Bitcoin, Ethereum, Monero, Electrum, Exodus, Ledger Live, Atomic Wallet, and others. It also preys upon browser extension data for MetaMask and Phantom. Beyond crypto, it raids AWS, Azure, GCP, and Kubernetes credentials, SSH keys, VPN configs, npm tokens, GitHub PATs, and even AI tool settings.
The stolen trove is encrypted with AES-256-GCM and exfiltrated through three channels: a typosquat domain (git-tanstack[.]com), the decentralized Session messenger network, and GitHub API dead drops – repositories minted on the victim’s own account bearing the whispered label “A Mini Shai-Hulud has Appeared.” The GitHub exfiltration is particularly sly, blending with the ordinary cadence of developer life.
The Dead Man’s Switch
There exists a grim safeguard, a clockwork joke with a cruel smile. On developer machines, the malware installs a persistent daemon (via macOS LaunchAgent or Linux systemd) that polls GitHub every 60 seconds to see if stolen tokens remain valid. If it detects token revocation – a natural first step in incident response – the daemon unleashes a destructive routine that attempts to erase the home directory with a memory of rm -rf ~/. It is the business of chaos, dressed in the attire of a utility script.
Researchers counsel not to revoke tokens until the infected machine is fully isolated, disconnected from the internet, and its drive imaged for forensic contemplation – a counterintuitive mercy that buys time for understanding the tragedy.
Scale of the Blast Radius
The reach is astonishing. @tanstack/react-router alone enjoys roughly 12 million weekly downloads. Across all compromised namespaces, more than 25,000 repositories and hundreds of developers have felt the worm’s cold hand. The npm team moves with the swiftness of a fire brigade, removing malicious versions, while TanStack maintainer Tanner Linsley confirms a halt to publishing pipelines during investigation.
Crucially, because many compromised packages are transitive dependencies, developers may be running the malignant code even if they never directly installed a TanStack package – a pastime in which fate seems to enjoy a practical joke.
Socket detected and flagged the compromised artifacts within six minutes of publication. The attack has been assigned CVE-2026-45321 – a number that sounds like a thief’s license plate, and perhaps a confession to a crime never fully unpacked.
Why Crypto Developers Are Especially Vulnerable
SlowMist emphasizes that developers in blockchain, DeFi, or Web3 are prime targets because their environments cradle private keys, seed phrases, wallet.dat files, and signing credentials. A single compromised CI/CD pipeline can drain wallets, authorize rogue transactions, or betray smart contracts and their infrastructure to a chorus of misfortune.
This is no bedtime fable. In previous Shai-Hulud waves, Trust Wallet tasted the sting of stolen credentials from the same creature’s pedigree. The September 2025 npm supply chain attack – which compromised Chalk (with billions of weekly downloads) – injected code that swapped wallet addresses at execution, though fortune briefly spared the pursuer with an unfortunate crash in the attacker’s design, leaving a note in the ledger that reads: “Better luck next time.”
The Mini Shai-Hulud campaign is a more refined beast, with self-propagation, valid provenance deception, multi-channel exfiltration, and a destructive failsafe that marks a generational leap in the theater of supply chain attack.
Recommendations
SlowMist and a chorus of guardians urge immediate action for anyone who ran npm install on any @tanstack/, @uipath/, @mistralai/, @squawk/, or @draftlab/* after May 11: treat the install environment as a fully compromised stage. Rotate all credentials – GitHub tokens, npm accounts, cloud keys, SSH keys, and any wallet seeds or private keys that may have been exposed. Audit CI/CD pipelines for the presence of router_init.js or suspicious preinstall hooks. Monitor for unauthorized GitHub repositories. Do not revoke tokens until the machine is isolated and its drive imaged for forensic and theatrical analysis.
- Rotate all credentials: GitHub tokens, npm accounts, cloud keys, SSH keys, wallet seeds, private keys.
- Audit CI/CD pipelines for router_init.js or suspicious preinstall hooks.
- Monitor for unauthorized GitHub repositories.
- Do not revoke tokens before isolating and imaging the machine.
For crypto holders, blunt counsel remains: avoid storing wallet files, seed phrases, or private keys on development machines. Employ air-gapped or hardware wallets for substantial holdings.
Read More
- Gold Rate Forecast
- Avengers: Doomsday Spoilers & Leaks Addressed By Director Joe Russo: “It’s Over-Policed”
- Assassin’s Creed is getting a live stage spin-off with parkour and choreographed fights
- INJ/USD
- Detonate codes (December 2025)
- Crimson Desert Guide – How to Pay Fines, Bounties & Debt
- Apple TV’s Imperfect Women Becomes No. 1 Most-Watched Show Globally
- What is Omoggle? The AI face-rating platform taking over Twitch
- Pragmata: Every Hacking Mode, Ranked
- Blake Lively & Justin Baldoni Settle It Ends With Us Lawsuit 18 Months After Bitter Feud Began
2026-05-12 11:16