TeamPCP’s Mini Shai-Hulud campaign has compromised npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI with credential-stealing malware and malicious GitHub Actions workflows. The attack uses obfuscated payloads, persistence hooks, and valid SLSA provenance to spread across ecosystems while exfiltrating secrets to attacker-controlled infrastructure. #TeamPCP #MiniShaiHulud #TanStack #UiPath #MistralAI #OpenSearch #GuardrailsAI #CVE-2026-45321
Keypoints
- TeamPCP linked a fresh Mini Shai-Hulud campaign to npm and PyPI package compromises.
- Malicious npm packages included an obfuscated
router_init.jscredential stealer. - The malware targets cloud services, wallets, AI tools, messaging apps, and CI systems.
- TanStack was compromised through chained GitHub Actions abuse and hijacked OIDC tokens.
- The worm spread to other packages while carrying valid SLSA Build Level 3 provenance.
Read More: https://thehackernews.com/2026/05/mini-shai-hulud-worm-compromises.html