Authors: Cloud Security Alliance AI Safety Initiative
Published: 2026-05-17

Categories: Supply Chain Security, AI Developer Security, Threat Intelligence

Mini Shai-Hulud: Supply Chain Worm Targeting AI Developer Tooling

Key Takeaways

Between May 11–13, 2026, a self-propagating supply chain worm dubbed Mini Shai-Hulud, attributed to threat actor group TeamPCP, compromised over 170 npm and PyPI packages spanning the TanStack, Mistral AI, OpenSearch, Guardrails AI, UiPath, and SAP cloud development ecosystems — ultimately producing more than 400 malicious package versions [1][2].
The worm operates by stealing npm publish tokens and GitHub Actions OIDC tokens from infected developer environments and CI/CD pipelines, then using those credentials to publish poisoned versions of every additional package the compromised maintainer controls — enabling autonomous, exponential spread without further attacker interaction [3][4].
A 2.3 MB obfuscated payload sweeps credentials from over 100 file paths across cloud providers, AI tooling, and messaging applications, then exfiltrates them through three redundant channels: a typosquatting domain, the decentralized Session messenger network, and GitHub API dead drops [5][6].
In the first publicly documented instance of a supply chain campaign targeting AI coding agent configuration files, the malware installs persistence hooks directly inside Anthropic’s Claude Code (~/.claude/settings.json) and Visual Studio Code (.vscode/tasks.json) — allowing it to re-execute on every developer session [7].
Organizations consuming the affected packages through automated CI pipelines should treat any installed version released between May 11–13 as potentially compromised, rotate all developer and CI/CD credentials immediately, and audit for the presence of unauthorized persistence hooks in AI tool configuration directories.

Background

The Mini Shai-Hulud campaign represents a significant escalation in open-source supply chain attacks. Named — by researchers at Phoenix Security and ReversingLabs — after the colossal sandworms of Frank Herbert’s Dune novels, the malware embeds its dead-drop exfiltration branch names almost entirely from Herbert’s lexicon: atreides, harkonnen, sandworm, melange, sietch, and dozens more [5]. The naming convention is more than an aesthetic curiosity; it suggests a threat actor comfortable operating in the open and leaving deliberate fingerprints.

TeamPCP, the group responsible for the attack, had reportedly conducted prior supply chain operations in the npm ecosystem in waves dating to September 2025 before the May 2026 campaign [3][4], with Mini Shai-Hulud representing what ReversingLabs characterized as the group’s most technically sophisticated operation to date [3]. The attack launched with extraordinary speed: in a six-minute window between 19:20 and 19:26 UTC on May 11, 2026, the worm published 84 malicious package versions across 42 packages in the @tanstack namespace alone [1][2]. Within 48 hours, the campaign had expanded to 172 compromised package names and more than 400 malicious package versions spanning both npm and PyPI [1][8].

The packages targeted were not chosen arbitrarily. TanStack’s @tanstack/react-router is among the most widely used front-end routing libraries in the JavaScript ecosystem [1]. Mistral AI’s npm SDK suite and the Python guardrails-ai package are direct dependencies for teams building AI-powered applications. The SAP Cloud Application Programming Model (@sap/cds) and Cloud MTA Build Tool (mbt) packages are deeply embedded in enterprise SAP development pipelines, with the four compromised SAP packages accounting for approximately 570,000 weekly downloads [9][10][11]. The OpenSearch npm package alone draws approximately 1.3 million weekly downloads [1]. These choices are consistent with deliberate targeting of developers who work at the intersection of modern software infrastructure and AI tooling — precisely the environments most likely to hold high-value cloud credentials and AI API keys.

Security Analysis

Attack Entry Point and Self-Propagation Mechanism

Mini Shai-Hulud’s initial foothold was obtained through the compromise of a developer or CI/CD token with publish rights to one or more high-profile npm namespaces. The exact initial access vector has not been publicly confirmed at time of writing, though the speed and scale of propagation suggest the attacker began with access to at least one widely-scoped maintainer credential.

Once the worm published a malicious version of a package, it embedded a preinstall script that executes automatically when any downstream developer or build pipeline runs npm install. This hook downloads the Bun JavaScript runtime as a living-off-the-land binary — using a legitimate, signed runtime to avoid triggering script-execution alerts — and then launches the main payload, a 2.3 MB obfuscated JavaScript file named router_init.js [4][5]. The file’s SHA-256 hash is ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c [5][6].

The self-propagation capability is the campaign’s most consequential technical innovation. The payload reads the memory of GitHub Actions runner processes to extract every secret available to the running job, specifically targeting npm automation tokens with the bypass_2fa flag set [3][4]. Once such a token is found, the worm enumerates every package published under the same maintainer account, exchanges a GitHub OIDC token for per-package publish credentials, and publishes a new poisoned version of each discovered package [3][4]. This cycle repeats at every new installation, meaning a single infected CI run can seed dozens of additional compromised packages without the attacker issuing any further commands.

Payload Capabilities: Credential Harvesting at Scale

The router_init.js payload is a broad-scope credential harvester targeting more than 100 hardcoded file paths spanning cloud providers (AWS IAM credential files, HashiCorp Vault tokens, Kubernetes service account tokens), version control systems (GitHub personal access tokens, SSH keys), AI platform API keys (Anthropic, OpenAI, and others), cryptocurrency wallets, and messaging applications [2][6]. The breadth of targeted paths reflects a clear understanding of the modern AI developer workstation: a machine that routinely holds cloud deployment rights, model API access, and repository push permissions simultaneously.

Exfiltration occurs through three independent channels, providing resilience against takedown of any single infrastructure component. Stolen credentials are transmitted to a typosquatting domain, git-tanstack[.]com, which visually mimics the legitimate TanStack organization’s web presence. Simultaneously, the payload routes data through the decentralized Session messenger network (via *.getsession.org), which offers end-to-end encryption and no central server to seize. A third channel uses the victim’s own stolen GitHub tokens to write credentials into attacker-controlled dead-drop repositories, with branch names drawn from the Dune lexicon described above [5][6].

A New Persistence Vector: AI Coding Agent Configuration Files

The most strategically novel element of Mini Shai-Hulud is its exploitation of AI coding agent tooling as a persistence mechanism. Once the payload executes on a developer workstation, it writes hooks to two configuration files: ~/.claude/settings.json (used by Anthropic’s Claude Code) and .vscode/tasks.json (used by Visual Studio Code). The Claude Code hook is registered as a SessionStart event, ensuring the malware re-executes at the beginning of every Claude Code session. The VS Code hook registers as a folderOpen task, triggering on every project open [7][11].

At time of disclosure, these hooks may survive typical malware removal steps and credential rotation unless the configuration files themselves are audited and cleaned. For developers who use AI coding assistants daily — a population that has grown substantially as tools like Claude Code and GitHub Copilot become standard in modern development workflows — this persistence mechanism can maintain attacker access long after the initial infected package is removed from the dependency tree. Available reporting documents this as the first publicly known instance of a supply chain attack weaponizing AI coding agent configuration files as a persistence vector [3][7][11].

Scope of Affected Packages

The table below summarizes the primary affected package ecosystems and their approximate download scale at time of compromise, based on available reporting.

Ecosystem / Namespace	Registry	Approximate Weekly Downloads	Notes
`@tanstack/*` (42 packages)	npm	~12M (react-router alone) [1]	React routing and data libraries
`@mistralai/*`	npm + PyPI	Not disclosed	Mistral AI SDK suite
`@opensearch-project/opensearch`	npm	~1.3M [1]	OpenSearch JS client
`guardrails-ai`	PyPI	Not disclosed	AI output validation library
UiPath automation packages	npm	Not disclosed	65 packages compromised [4]
`@sap/cds`, `@cap-js/*`, `mbt`	npm	~570,000 [9][11]	SAP cloud development tools

The rapid expansion of scope — from TanStack on the evening of May 11 to SAP, Mistral, and OpenSearch packages within 48 hours — reflects the worm’s autonomous credential chaining. Each new infected environment extended the attacker’s publish access to entirely new package namespaces, compounding the blast radius without requiring direct attacker involvement.

Recommendations

Immediate Actions

Organizations that consumed any of the affected package namespaces during May 11–13, 2026 should treat all production and developer environments that ran npm install or pip install during that window as potentially compromised. The highest-priority immediate actions are credential rotation and persistence auditing.

Rotate credentials in this order: npm publish tokens first, then GitHub personal access tokens and fine-grained tokens, then cloud provider keys (AWS IAM access keys, GCP service account keys, Azure credentials), and finally any secrets stored in HashiCorp Vault or Kubernetes secrets that the affected environment could have accessed [8][11]. The order matters because npm tokens can be used to extend the worm’s reach; revoking them breaks the propagation chain before cloud credentials are assessed.

Audit developer workstations and CI runner images for the presence of router_init.js in any node_modules subdirectory. A simple filesystem check is find . -name 'router_init.js' -size +1M, which will surface files matching the payload’s approximate size profile [8]. Confirmed presence should be treated as a strong indicator of potential credential exposure; assume the host is compromised and proceed with isolation and forensic imaging before remediation.

Inspect and clean AI coding agent configuration files on every affected developer workstation. Review ~/.claude/settings.json for any hooks referencing unfamiliar scripts, and review .vscode/tasks.json for folderOpen tasks not recognized by the developer. Remove any entries not deliberately placed by the organization. Also check OS-level service definitions for entries such as gh-token-monitor.service, which the payload may install for additional persistence [8][11].

Short-Term Mitigations

Teams that have completed immediate triage should implement dependency integrity controls before resuming normal development operations. Using npm ci over npm install in CI enforces lockfile consistency and, combined with npm provenance verification, provides meaningful protection against dependency substitution [4] — but only if the lockfile was not itself modified during the exposure window. Organizations should verify that lockfile commits from May 11–13 do not reference the affected package versions. For AI-dependent packages such as Mistral AI’s SDKs or Guardrails AI, pin to specific version hashes in both package.json and package-lock.json.

Restrict CI/CD token scopes as a structural control. GitHub Actions OIDC tokens should be issued with the minimum repository and package permission set required for each workflow. The bypass_2fa npm token scope, which the Mini Shai-Hulud worm explicitly exploited to enumerate and publish across entire maintainer namespaces, should be revoked for automation accounts and replaced with package-scoped tokens [4]. Consider moving to npm’s granular access tokens, which allow per-package publish rights, significantly reducing the blast radius of a compromised publish token.

Several community-maintained detection tools are available for scanning existing projects against the known affected package versions. The champjss/mini-shai-hulud-checker-20260512 repository on GitHub provides a zero-dependency CLI that scans a project’s lockfile against a feed of confirmed malicious versions and checks any discovered router_init.js against the known payload hash [12]. The Cobenian/shai-hulud-detect tool covers a broader set of npm and PyPI campaigns from late 2025 through May 2026 [13]. Both tools should be run against all active projects that had lockfiles updated during the exposure window.

Strategic Considerations

The Mini Shai-Hulud campaign surfaces a structural vulnerability in how AI developer tooling integrates with the local build environment. As AI coding assistants become first-class participants in the development workflow — executing code, reading file systems, and running tools on behalf of developers — their configuration files represent a new persistence attack surface that endpoint security solutions may not yet monitor by default, as AI tool configuration directories are not typically included in standard file-integrity monitoring rulesets. Organizations should extend their endpoint configuration management policies to cover AI tool configuration directories (.claude/, .continue/, .cursor/, and similar) with the same vigilance applied to shell profile files and IDE settings.

CI/CD pipelines should be treated as high-value attack targets equivalent to production systems. The separation between developer workstations and CI runners is frequently thinner than assumed — particularly in organizations that share OIDC tokens across workflow scopes or cache credentials in runner base images. Shared secrets, OIDC token reuse, and transitive dependency installation all create pathways for lateral movement. A supply chain audit that includes a map of which credentials are accessible from which pipeline stages, and which package publish rights flow from each, is now table stakes for any organization developing AI-integrated software.

The exploitation of decentralized communication infrastructure — Session messenger in this case — for credential exfiltration represents a detection gap that traditional perimeter-based network monitoring cannot close through content inspection alone. DNS-based controls (blocking resolution of *.getsession.org from build environments) provide partial mitigation, but organizations should anticipate that future campaigns will rotate exfiltration channels. Behavioral monitoring for unexpected outbound connections from npm install and pip install executions, and for process memory reads targeting CI runner processes, offers a more durable detection strategy.

CSA Resource Alignment

Mini Shai-Hulud’s attack chain maps directly to several threat categories addressed in CSA’s published frameworks. Security teams can use these frameworks to structure their assessment and remediation programs.

CSA’s MAESTRO framework for agentic AI threat modeling provides a layered, architecture-driven approach to identifying risks across the full AI agent stack [14]. The Mini Shai-Hulud persistence mechanism — registering malicious hooks inside Claude Code’s settings.json — illustrates the kind of agent environment manipulation risk that MAESTRO’s layered threat model is designed to surface. Organizations applying MAESTRO threat models to their AI development environments should treat AI coding assistant configuration files as security-sensitive artifacts with integrity monitoring requirements equivalent to shell startup files.

The AI Controls Matrix (AICM) v1.0 [15], which spans 18 security domains covering 243 control objectives for cloud-based AI systems, provides a control framework applicable to the dependency management failures exposed by this campaign. AICM controls addressing software bill of materials (SBOM) maintenance, dependency provenance verification, and third-party package integrity verification are directly applicable. Organizations consuming AI SDK packages — including the Mistral AI and Guardrails AI packages targeted in this campaign — should map their AICM control coverage against the specific package namespaces their AI applications depend on.

CSA’s Cloud Controls Matrix (CCM) supply chain management domain [16] provides governance-level controls for third-party software dependency risk. The compromised UiPath automation packages in this campaign highlight the risk of treating automation tooling as inherently lower-risk than production application dependencies; CCM guidance on supplier assessment and change management applies equally to development tooling packages.

The campaign also illustrates gaps in Zero Trust implementation at the CI/CD layer. A Zero Trust posture for build pipelines would limit each workflow to the minimum necessary publish rights, would not allow OIDC tokens to provide cross-namespace access, and would treat each build execution as an untrusted principal until explicitly verified. CSA’s Zero Trust Principles guidance [17] provides a reference framework applicable to these pipeline access control requirements.