Mini Shai-Hulud: AI Supply Chain Campaign Targets Developer Credentials

Key Takeaways

• TeamPCP’s Mini Shai-Hulud campaign is a self-propagating npm worm that has compromised over 170 packages and 400+ malicious versions across npm and PyPI as of mid-May 2026, including high-profile AI packages from Mistral AI, Guardrails AI, TanStack, OpenSearch, and UiPath [1][2].
• The campaign introduces a persistence mechanism not documented in prior npm supply chain attack reporting—writing hooks into Claude Code and VS Code configuration directories, enabling it to survive package removal and reactivate on every project open [3].
• AI API keys—including Anthropic and OpenAI credentials stored in MCP configuration files—are among the explicit targets of the credential-harvesting payload, representing an exfiltration surface that security scanning tooling and enterprise policies have not yet broadly addressed [4].
• The worm exploits OIDC trusted publishing workflows to spread without ever directly stealing npm credentials, meaning conventional credential-rotation responses may be insufficient [5].
• A destructive “dead man’s switch” payload attempts to delete the victim’s home directory if a compromised GitHub token is revoked, making credential response a potentially high-consequence action [2].

Background

The Mini Shai-Hulud campaign, attributed to a threat group tracked as TeamPCP that multiple researchers assess as financially motivated [6][7], emerged in late April 2026 with an initial wave targeting SAP’s developer ecosystem—specifically the @sap/cds and @sap/mbt npm packages [6]. Within days, a second, larger wave spread to the broader npm and PyPI ecosystems, ultimately compromising packages with a combined monthly download count exceeding 518 million [7]. Researchers at OX Security, StepSecurity, Wiz, JFrog, and others documented the campaign’s rapid spread across dozens of widely-used packages, including @tanstack/react-router, @tanstack/history, mistralai, guardrails-ai, and packages from OpenSearch and UiPath [1][8].

The campaign’s name is drawn from TeamPCP’s own internal nomenclature and their consistent use of Dune-universe references throughout the infrastructure. Dead-drop commit branch names used in the campaign are drawn exclusively from Frank Herbert’s Dune: names such as atreides, fedaykin, fremen, harkonnen, melange, sandworm, stillsuit, and tleilaxu appear throughout the attacker-controlled repository forks [5]. The “Mini Shai-Hulud” designation—referencing the giant sandworms of Arrakis—reflects the worm’s burrowing, self-propagating nature and the campaign’s thematic branding. CSA’s AI Safety Initiative published an initial advisory covering the April SAP wave [9]; the present note covers the substantially larger May campaign and its specific implications for AI tool security.

What distinguishes Mini Shai-Hulud from prior npm supply chain incidents is a combination of three properties acting together: autonomous self-propagation through stolen CI/CD credentials, evasion of modern supply chain security controls including signed provenance attestations, and targeted collection of AI developer credentials from non-standard file paths not yet addressed by standard secret management frameworks or tooling defaults.

Security Analysis

Attack Chain and Propagation Mechanism

The TanStack compromise illustrates how the attack chain exploited multiple trust relationships in sequence. An orphaned commit in a fork of the TanStack repository retained OIDC trust federation configuration pointing at npm. The attacker pushed to this fork, triggered a GitHub Actions workflow, and extracted a short-lived OIDC token from the runner’s process memory at /proc/<pid>/mem [5]. That token was exchanged for authenticated publish access to the TanStack npm namespace without requiring any long-lived credentials—bypassing the two-factor authentication controls on maintainer accounts and the OIDC trusted publishing controls that TanStack maintainers had configured for their packages [8]. It bears noting that OIDC trusted publishing is a machine-to-machine authentication pathway; account-level 2FA does not apply to publish operations executed through this channel, so the attack did not defeat 2FA in the conventional sense but rather used an authentication path where it is architecturally inapplicable.

Once publish access was established, each infected CI run became a new publisher. The malware added preinstall lifecycle hooks to compromised packages. Upon installation, those hooks downloaded the Bun JavaScript runtime as a living-off-the-land binary—a legitimate, signed runtime not natively associated with malicious activity; at time of writing, no public reporting indicated it was broadly flagged by EDR solutions in this context—and then executed a 2.3 MB obfuscated payload identified as router_init.js in npm variants and transformers.pyz in PyPI variants [6][10]. This payload performed the credential sweep described below and then used the harvested npm and GitHub tokens to publish additional malicious package versions under new victim-package namespaces, continuing the worm’s spread.

The campaign’s propagation was rapid. Within approximately five hours of the TanStack intrusion, TeamPCP had published over 400 malicious versions across 172 distinct packages [1][2]. Crucially, those versions carried valid SLSA provenance attestations generated by the compromised CI workflows. Standard provenance verification tools—which validate the attestation’s authenticity but do not independently evaluate whether the underlying workflow or fork configuration was trustworthy—would not have flagged these versions through attestation inspection alone [5].

Credential Harvesting Scope

The payload swept credentials from over 100 file paths spanning cloud providers, AI tools, CI/CD systems, and developer workstations [3]. Targeted cloud credentials included AWS STS identity tokens, AWS Secrets Manager and SSM Parameter Store values, Azure subscription credentials and Key Vault secrets, and GCP project identity tokens and Secret Manager values. Kubernetes service account tokens and HashiCorp Vault secrets were also collected. From CI/CD environments, the malware extracted GitHub Actions secrets from runner memory—a technique that functions regardless of whether secrets are masked in logs.

Unlike prior supply chain attacks that focused primarily on cloud and CI/CD credentials, this payload explicitly harvests ~/.claude.json, ~/.claude/mcp.json, and ~/.kiro/settings/mcp.json—the configuration files used by Claude Code and the Kiro AI IDE to store MCP server definitions and their associated authentication tokens [3][4]. These files are designed to store MCP server configurations, which routinely include API keys and authentication tokens for connected services; Anthropic’s documentation for Claude Code specifies that API keys are stored in ~/.claude.json [3]. The enumeration of these paths—an attack surface not documented in prior supply chain campaign writeups—suggests that TeamPCP had researched modern AI development tooling before executing this campaign, identifying a credential class that published scanning tool configurations have not yet enumerated as standard targets.

Persistence via AI Tool Configuration

The persistence mechanism introduced in Mini Shai-Hulud extends beyond what prior npm supply chain attacks have employed: unlike payloads that rely solely on the presence of infected packages, this malware survives package removal by installing hooks in AI tool and IDE configuration files. After credential exfiltration, the payload writes hooks into .claude/settings.json (targeting Claude Code’s SessionStart event) and .vscode/tasks.json (targeting VS Code’s folder-open task runner) [3][4]. Both mechanisms cause the malware’s code to execute automatically whenever a developer opens a project in the respective tool—even after the original infected npm package has been removed and npm’s cache has been cleared.

Published scanning tool default configurations and EDR default rule sets reviewed for this note do not include AI coding assistant configuration files in their coverage profiles. As a result, the malware can survive host remediation steps that would be sufficient to eliminate a traditional npm-injected payload, meaning that organizations that have responded to this incident solely by uninstalling affected packages may still have compromised developer machines.

Bypassing Modern Supply Chain Controls

The campaign’s success against targets that had implemented OIDC trusted publishing, 2FA on all maintainer accounts, and SLSA provenance attestations is operationally important. Each of these controls was designed to address a specific prior supply chain attack pattern: stolen long-lived npm tokens, account takeover via phishing, and tampered release artifacts, respectively. Mini Shai-Hulud sidesteps all three by exploiting the trust relationships that underpin those same controls—specifically, the OIDC federation between GitHub Actions and npm that is configured at the repository level but can be reached via orphaned workflow files in forks [5][8].

The Mistral AI and Guardrails AI PyPI compromise followed a parallel path, using __init__.py injection in the published packages to download a malicious file (transformers.pyz) from the attacker-controlled domain git-tanstack.com [10]. The use of a plausible domain name and a filename designed to resemble a legitimate machine learning artifact demonstrates deliberate social engineering layered on top of the technical attack chain.

Dead Man’s Switch

The payload includes a monitoring component that watches for revocation of the stolen GitHub token. If a developer or security team revokes the token as part of an incident response, the malware attempts to execute rm -rf ~—deleting the user’s entire home directory [2]. This mechanism creates a coercive dynamic: organizations that detect the compromise face the choice between allowing an adversary to retain access to a stolen GitHub token or triggering a destructive data-loss event. Unlike ransomware, which encrypts data for ransom, this mechanism is purely destructive—there is no recovery path through compliance with attacker demands, and backups are the only mitigation. Security teams should plan incident response accordingly, including ensuring home directory backups exist before initiating token revocation.

Recommendations

Immediate Actions

For organizations that install npm or PyPI packages in their development or CI/CD environments, the following actions should be taken as soon as possible. First, audit developer workstations and CI/CD runners for the presence of modified .claude/settings.json and .vscode/tasks.json files. The malicious SessionStart hook and folder-open task entries are inserted by the payload and will be present even on machines where the original infected package has since been removed. Removing these hooks should precede any token revocation to avoid triggering the destructive dead man’s switch. Second, rotate all GitHub tokens, npm publish tokens, cloud provider credentials, and AI API keys (including Anthropic and OpenAI API keys) on affected machines—after confirming the persistence hooks have been removed. Third, check npm and PyPI package lock files for any of the known-affected package versions published between April 28 and May 12, 2026; updated safe versions have been published by affected maintainers [1][8].

Short-Term Mitigations

Organizations should extend their secrets scanning coverage to include AI tool configuration files. Standard tools such as truffleHog, gitleaks, and detect-secrets can be configured with custom patterns to scan ~/.claude.json, ~/.claude/mcp.json, ~/.kiro/settings/mcp.json, and the .vscode/ directory tree. These paths are not included in most default scanning configurations, and adding them closes a gap that Mini Shai-Hulud demonstrates is actively targeted.

CI/CD pipeline hardening should include an audit of all OIDC trust federations. Organizations should enumerate every repository, including forks, that has OIDC publish trust configured for npm, PyPI, or other package registries, and revoke trust from any repository that is no longer actively used for publishing. Unused federated trust relationships are the specific attack surface exploited in this campaign. StepSecurity’s Harden-Runner and similar CI/CD security monitoring tools can detect anomalous OIDC token exchanges in GitHub Actions workflows [5].

Deploying lockfile pinning and requiring explicit hash verification (npm ci with integrity checking, or tools such as Socket Security’s package monitoring) adds a detection layer for packages that have been modified after initial inclusion in a lockfile. This does not prevent initial infection but significantly reduces the window during which a newly poisoned version remains undetected in development pipelines.

Strategic Considerations

The Mini Shai-Hulud campaign illustrates that modern supply chain security controls—OIDC publishing, signed provenance, 2FA—are necessary but not individually sufficient. The controls were in place and functioning as designed by affected package maintainers; the attack succeeded by exploiting the trust relationships that those controls relied on, rather than defeating any individual control. Organizations should evaluate their supply chain security posture as a system, examining where trust relationships are configured, who can create or modify those relationships, and whether orphaned configurations in forks or archived repositories receive the same governance attention as active ones.

The targeting of AI API keys is consistent with threat actors having updated their targeting based on where high-value credentials now reside in AI-assisted development workflows. As AI-assisted development expands, credentials for AI services are increasingly present on developer workstations, in CI/CD environments, and in MCP configurations—and can be expected to grow in prevalence and value as targets. Enterprises should classify AI API keys alongside cloud provider credentials in their secrets management programs, apply the same rotation, monitoring, and access-control policies, and ensure that AI tool configuration files are included in DLP and endpoint monitoring scope.

Finally, the dead man’s switch component argues for updated incident response playbooks. The coercive structure of this mechanism—where remediation triggers destruction—shares characteristics with ransomware in requiring pre-staged recovery before any remediation action, but differs in that there is no recovery path through attacker compliance; backups are the only mitigation, not decryption keys. Maintaining verified, recent backups of developer home directories, pre-staging replacement credentials before beginning revocation, and planning the remediation sequence before executing any step are all practices that reduce the leverage this mechanism provides to attackers.

CSA Resource Alignment

This incident maps directly to several active CSA frameworks and guidance documents that security teams can leverage for remediation planning and longer-term program development.

The MAESTRO framework (Multi-Agent Environment, Security, Threat Risk, and Outcome) addresses the Layer 3 (Agent Frameworks) and Layer 4 (Deployment and Infrastructure) threat surfaces exploited by Mini Shai-Hulud’s MCP persistence mechanism. MAESTRO’s guidance on MCP server trust boundaries and tool call validation is directly applicable to hardening Claude Code, VS Code, and similar AI coding agents against supply chain injection [11]. CSA’s February 2026 blog post on applying MAESTRO to real-world agentic AI threats provides worked examples in CI/CD contexts [12].

The AI Controls Matrix (AICM) v1.0.3 Supply Chain Management domain covers third-party tool provenance, dependency validation, and runtime integrity monitoring for AI systems. The AICM’s Application Provider (AP) and AI Customer (AIC) implementation guidelines describe control objectives directly relevant to npm dependency management, CI/CD pipeline hardening, and AI tooling credential governance [13]. The AICM Supply Chain Management domain should be the primary governance reference for organizations developing remediation program documentation in response to this incident.

CSA Zero Trust guidance is relevant to the OIDC federation exploitation at the core of this campaign. Zero Trust principles applied to CI/CD environments—specifically, minimizing implicit trust relationships, requiring explicit authorization for publish operations, and continuously validating the provenance of build artifacts—would constrain the attack surface Mini Shai-Hulud exploits. CSA’s Zero Trust Guidance for Achieving Operational Resilience provides implementation guidance applicable to build pipeline architectures [14].

The CSA prior advisory on Shai-Hulud (April 2026) covers the initial SAP wave and provides background on TeamPCP’s tooling and the @sap/cds and @sap/mbt compromise specifics [9]. The present note builds on that advisory; organizations responding to the April incidents should review both documents together to ensure their remediation addresses the expanded attack surface of the May campaign.

References

[1] The Hacker News. “Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages.” The Hacker News, May 2026.

[2] CyberScoop. “‘Mini Shai-Hulud’ malware compromises hundreds of open-source packages in sprawling supply-chain attack.” CyberScoop, May 2026.

[3] Phoenix Security. “Mini Shai-Hulud: SAP CAP and mbt npm Packages Backdoored via Bun-Loaded Credential Stealer with Claude Code Persistence.” Phoenix Security, April 2026.

[4] NewsBreak / Morning Overview. “The ‘Mini Shai-Hulud’ attack hides inside AI coding agent configs — the first supply chain attack to weaponize Claude Code and VS Code as persistence vectors.” NewsBreak, May 2026.

[5] StepSecurity. “TeamPCP’s Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages.” StepSecurity Blog, May 2026.

[6] Dark Reading. “TeamPCP Hits SAP Packages With ‘Mini Shai-Hulud’ Attack.” Dark Reading, April 2026.

[7] OX Security. “‘Shai-Hulud, Here We Go Again’: 170+ Packages Hit Across npm & PyPi.” OX Security Blog, May 2026.

[8] Wiz. “Mini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised.” Wiz Blog, May 2026.

[9] Cloud Security Alliance AI Safety Initiative. “CSA Research Note: Shai-Hulud npm Worm — AI Developer Supply Chain.” CSA Lab Space, April 2026.

[10] Phoenix Security. “Mini Shai-Hulud: TeamPCP’s Self-Propagating npm Worm Hits TanStack, OpenSearch, and Mistral AI Across 170 Packages.” Phoenix Security, May 2026.

[11] Cloud Security Alliance. “Agentic AI Threat Modeling Framework: MAESTRO.” CSA Blog, February 2025.

[12] Cloud Security Alliance. “Applying MAESTRO to Real-World Agentic AI Threats: From Framework to CI/CD Pipeline.” CSA Blog, February 2026.

[13] Cloud Security Alliance. “AI Controls Matrix.” CSA, 2025.

[14] Cloud Security Alliance. “Zero Trust Guidance for Achieving Operational Resilience.” CSA, 2025.

Further Reading

The following sources were reviewed in the preparation of this note and provide additional context on the Mini Shai-Hulud and predecessor Shai-Hulud campaigns.

• JFrog Security Research. “Shai-Hulud: Here We Go Again – Worm by TeamPCP Hits NPM and PyPI.” JFrog, May 2026.
• Bleeping Computer. “Shai-Hulud attack ships signed malicious TanStack, Mistral npm packages.” Bleeping Computer, May 2026.
• Snyk. “TanStack npm Packages Hit by Mini Shai-Hulud.” Snyk Blog, May 2026.
• Microsoft Security Blog. “Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack.” Microsoft Security, December 2025. (Covers the predecessor Shai-Hulud 2.0 campaign from November–December 2025, not the May 2026 Mini Shai-Hulud wave; a May 2026 update has been appended to the post.)
• VentureBeat. “Protect your enterprise now from the Shai-Hulud worm and npm vulnerability in 6 actionable steps.” VentureBeat, May 2026.
• Endor Labs. “Shai-Hulud compromises the @tanstack ecosystem: 80+ packages compromised.” Endor Labs Blog, May 2026.
• Picus Security. “Mini Shai-Hulud: The npm Supply Chain Worm Explained.” Picus Security Blog, May 2026.
• ReversingLabs. “Team PCP’s Mini Shai-Hulud tears at open-source trust.” ReversingLabs Blog, May 2026.