Mini Shai-Hulud Strikes: Critical npm Worm Hijacks TanStack's Trust to Steal Developer Credentials

Malicious Worm Breaches npm's Most Trusted Ecosystem

In one of the most sophisticated npm supply chain attacks on record, threat actors deployed the Mini Shai-Hulud worm to compromise 42 @tanstack/* packages on May 11, 2026. Between 19:20 and 19:26 UTC, 84 malicious package versions were published to the npm registry using legitimate TanStack credentials hijacked through a chained GitHub Actions exploitation. The attack is tracked as CVE-2026-45321 and carries a CVSS score of 9.6, indicating critical severity.

What makes this breach uniquely dangerous: the compromised packages carry valid SLSA Build Level 3 provenance attestations, making this the first documented npm worm that produces validly attested malicious packages. This cryptographic proof of legitimacy, normally a security guarantee, was weaponized to deceive downstream users and automated security scanners alike.

The Triple-Vulnerability Chain: How Attackers Hijacked a Trusted Publisher

The attack did not rely on stealing npm credentials directly. Instead, attackers chained three known vulnerability classes—a pull_request_target \"Pwn Request\" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process—to publish credential-stealing malware under a trusted identity.

Here's how the exploit unfolded:

• Step 1 - Pwn Request Misconfiguration: The TanStack/router GitHub Actions workflow used the dangerous `pull_request_target` trigger without sufficient sandbox isolation. This allowed attacker-controlled code from a malicious pull request to execute with base repository permissions.
• Step 2 - Cache Poisoning: Attackers submitted a pull request from a fork that, when built, would poison the cache used by subsequent legitimate builds or workflows in the base repository.
• Step 3 - OIDC Token Extraction: Within the compromised runner environment, attackers performed runtime memory extraction by scanning the heap of the runner process, specifically targeting the OIDC JSON Web Token (JWT) used for the trusted-publisher binding between GitHub and the npm registry. This transient credential, never persisted to disk, became the attacker's skeleton key to the npm scope.

Using hijacked OIDC tokens from the GitHub Actions runner, the attackers then directly published 84 malicious versions across all 42 affected packages within six minutes. @tanstack/react-router alone receives over 12.7 million weekly downloads, amplifying the blast radius exponentially.

Worm-Like Self-Propagation: The Attack Doesn't Stop at TanStack

The incident rapidly expanded beyond the initial vector. The worm has since spread beyond TanStack to packages from UiPath, DraftLab, and other maintainers. TeamPCP, the threat actor behind the recent supply chain attack spree, has been linked to the compromise of npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign.

By end of day, at least 170 affected packages had been documented in Snyk's Security Database. The malware's design enabled secondary infections: the extraction of .npmrc tokens specifically enables the malware to propagate further by publishing malicious updates to internal or external packages maintained by the victim.

What Gets Stolen: A Complete Credential Exfiltration

The payload embedded in compromised packages is a credential-harvesting instrument. The attackers injected a sophisticated credential-stealing payload designed to silently harvest secrets from continuous integration environments, including GitHub Actions pipelines. Once installed, the malware targets every secret a developer or CI environment might hold:

• AWS, GCP, and Kubernetes credentials
• GitHub personal access tokens and OIDC credentials
• npm tokens and SSH keys
• Vault secrets and proprietary API keys
• .env files containing application secrets

Anyone who installed an affected version on 2026-05-11 is strongly recommended to rotate AWS, GCP, Kubernetes, Vault, GitHub, npm, and SSH credentials reachable from the install host.

Detection: The Critical Window Was Short

The malware was detonated and detected rapidly. The malicious versions were detected publicly within 20 minutes by an external researcher ashishkurmi working for stepsecurity. However, security tooling that relies on signature detection or SLSA provenance validation would have been blind: this mechanism bypasses traditional static secret scanning defenses.

The execution payload itself is a 2.3 MB heavily obfuscated JavaScript file named `router_init.js`. Because npm automatically triggers prepare lifecycle hooks when resolving git-based dependencies, the malicious payload executes immediately during npm install, silently infecting the developer's machine or CI pipeline. Organizations relying solely on package.json inspection would have missed the attack entirely.

Incident Response and Mitigation

All affected versions have been deprecated; npm security has been engaged to pull tarballs from the registry. TanStack has since deprecated all affected versions, purged workflow caches, and implemented strict repository guards.

However, remediation for downstream users requires aggressive credential rotation. Any developer or CI environment that ran npm install, pnpm install, or yarn install against an affected version on 2026-05-11 should be considered compromised, and all credentials accessible to the install process should be rotated immediately.

Organizations can check for compromise using npm's pack functionality without executing malicious scripts:

npm pack @tanstack/<name>@<version> # downloads tarball without executing scriptstar -xzf *.tgzgrep -A3 optionalDependencies package/package.jsonls -la package/router_init.js # malicious payload present at package root

Strategic Implications: OIDC Tokens as a New Attack Surface

This attack exposes a critical weakness in the CI/CD trust model. While OIDC eliminates persistent secrets, memory extraction proves that transient tokens remain vulnerable if the runner execution environment is compromised. This necessitates a reevaluation of threat models surrounding CI/CD pipeline isolation.

The attack demonstrates that GitHub Actions' \"Pwn Request\" misconfiguration, when combined with cache poisoning and runtime memory access, can elevate fork code to the permissions of the base repository. Open-source maintainers relying on automatic GitHub Actions workflows face an asymmetric risk: a single misconfigured trigger can compromise credentials touching millions of downstream users.

What You Need to Do Now

For TanStack Users: If you installed any @tanstack/* package on May 11, 2026, between 19:20–19:30 UTC, treat your system as compromised. Delete node_modules, rotate all credentials, and rebuild from clean sources. Audit CI/CD pipelines for any unexpected network activity or privilege escalation during this window.

For npm Ecosystem Participants: Review your GitHub Actions workflows for `pull_request_target` usage. Consider migrating to `pull_request` with checkout of the base branch only, or using explicit allow-lists for external contributors. Enable branch protection rules to require approval before running workflows on fork PRs.

For Security Teams: Implement runtime memory access controls in shared CI/CD runners, restrict OIDC token scope to the minimum required for the operation, and audit all OIDC token issuances in your build infrastructure. Layer npm lifecycle script execution behind approval gates: npm config set ignore-scripts true during the install phase, then selectively re-enable for trusted dependencies.

This incident reminds the industry that supply chain trust is only as secure as the weakest link in the build pipeline. With 12.7 million weekly downloads of a single affected package, the Mini Shai-Hulud campaign underscores the urgent need for hardened CI/CD isolation and memory-safe execution environments in shared runners.