Massive Supply Chain Attack Infects Hundreds of Open-Source Packages with 'Mini Shai-Hulud' Malware

A rapidly spreading malware campaign has infected hundreds of software packages across major open-source registries, embedding credential-stealing code into development tools downloaded millions of times each week. The attack, dubbed “mini Shai-Hulud,” targeted prominent software libraries, including TanStack, UiPath, and MistralAI.

TanStack’s React Router package alone accounts for more than 12 million weekly downloads, placing the malicious code deep within the software supply chain of modern enterprise applications.

In a blog post, TanStack reported that security teams have pulled all compromised software versions from the registry. While there is no evidence that registry passwords were stolen, experts urge anyone who downloaded the affected tools on Monday to immediately change all connected cloud, server, and developer credentials—including Amazon Web Services, Google Cloud, and GitHub.

How the Attack Exploited Systemic Vulnerabilities

The incident highlights a systemic vulnerability in automated software publishing. The compromised updates successfully bypassed two-factor authentication and carried cryptographically valid provenance signatures. These signatures verified that the packages originated from the correct continuous integration pipelines but failed to detect that the pipelines themselves had been manipulated to authorize malicious code.

Attributed to TeamPCP, a Cloud-Focused Cybercriminal Group

Security researchers attribute the campaign to TeamPCP, a cloud-focused cybercriminal group that emerged in late 2025. The group specializes in automating supply-chain attacks and exploiting cloud-native infrastructure, including Docker and Kubernetes environments.

The group is alleged to be responsible for earlier development of Shai Hulud and is notorious for its advanced ability to hide its tracks—such as disguising stolen data as anonymous messaging traffic—and its aggressive extortion tactics, which include threatening to completely erase victims’ computers if they attempt to remove the hackers’ access.

Mechanism of the Attack

Attackers triggered the automated release process using an “orphaned commit”—code pushed to a repository fork without a corresponding branch. This allowed them to exploit overly broad permissions in GitHub Actions workflows.

The malware was then delivered via a concealed dependency that fetched a heavily obfuscated 2.3-megabyte payload disguised as an initialization module. Upon execution, the malware uses Bun—a high-speed software engine designed to run JavaScript—to systematically steal security keys and passwords. It targets high-level cloud infrastructure, including AWS, Google Cloud Platform, Kubernetes, and HashiCorp Vault.

The code is engineered to infiltrate highly secure Amazon cloud networks while simultaneously scouring the developer’s local computer for secret files and SSH keys used to unlock other corporate systems.

Self-Propagating Worm and Extortion Tactics

Operating as a self-propagating worm, the malware publishes copies of itself to those projects, spoofing its activity to appear as automated commits from the Anthropic Claude bot.

In a secondary extortion measure, the malware generates a new registry token containing a ransom note in its description, threatening a destructive computer wipe if the victim attempts to revoke the compromised access.

Limited Spread Despite Malware’s Capabilities

Despite the malware’s sophisticated properties, researchers told CyberScoop they have not seen it spread widely. “We saw very limited community spread,” said Charlie Eriksen, a security researcher with application security firm Aikido Security.