Advisories

CERT-In Advisory CIAD-2026-0026

"Mini Shai-Hulud" Supply Chain Attack Campaign Targeting Open-Source

Original Issue Date: May 21, 2026

Severity Rating: Critical

Overview

It has been observed that an active software supply chain attack campaign, publicly referred to as "Mini Shai-Hulud", is targeting npm and PyPI package registries, with broader impact across enterprise CI/CD environments and open-source software ecosystems. This campaign, observed across multiple discrete waves is compromising software packages, build and release pipelines, automated publishing workflows, and cloud-native development infrastructures leveraged in modern application delivery.

Threat actors have reportedly compromised several hundred packages across npm and PyPI, resulting in the publication of a significantly larger number of malicious versions. The compromises have been carried out through a combination of compromised maintainer accounts, hijacked CI/CD pipeline tokens, and abuse of trusted publishing workflows.

Notable Affected Ecosystems / Packages

The affected packages, with specific malicious versions reported within each, include:

TanStack packages (@tanstack namespace)
SAP CAP / MTA npm packages
AntV ecosystem packages (@antv namespace)
UiPath packages (@uipath namespace)
Mistral AI packages (@mistralai namespace)
OpenSearch packages (@opensearch-project namespace)
Guardrails AI packages
Squawk packages
Other widely-used packages including echarts-for-react, timeago.js, size-sensor, canvas-nest.js, jest-canvas-mock

Note: The set of affected packages and versions is expanding. Organizations are advised to refer to advisories published by the relevant registry operators, the GitHub Advisory Database and other official channels for the most current information.

Description

Analysis from multiple security researchers indicates that the attackers are leveraging compromised npm maintainer accounts, GitHub Actions workflow abuse, and CI/CD pipeline compromise to distribute malicious packages. The campaign uses malicious preinstall hooks, obfuscated Bun/JavaScript payloads, credential harvesting mechanisms, and worm-like propagation capabilities to spread across development and enterprise environments.

Initial access has been observed through:

hijacking of GitHub Actions OIDC tokens via the "pull_request_target" trigger in combination with Actions cache poisoning, followed by exchange with npm trusted publishing workflows for valid publish credentials;
compromise of npm maintainer accounts; and
targeting of long-dormant packages with weaker security controls but continued transitive usage.

The malware is designed to harvest sensitive credentials, including GitHub Personal Access Tokens (PATs), npm authentication tokens, cloud credentials (AWS/Azure/GCP), SSH keys, Kubernetes service account tokens, Vault secrets, database credentials, and CI/CD environment variables. It may also attempt to access cloud metadata services, extract secrets from CI/CD runner environments, and exfiltrate collected data to attacker-controlled infrastructure, while enabling further propagation by validating stolen npm tokens, enumerating accessible packages, injecting malicious payloads, and republishing under compromised maintainer identities.

Persistence mechanisms have been observed on development environments through modification of local tooling configurations (e.g., editor task hooks), potentially allowing execution across sessions.

Malicious packages have also been observed abusing trusted build and provenance mechanisms to appear legitimate, complicating detection and trust validation efforts.

Indicators of Compromise

The following Indicators of Compromise (IoCs) are associated with this campaign:

Malicious files and artefacts:

router_init.js
router_runtime.js
tanstack_runner.js
index.js (root-level, ~498 KB obfuscated Bun bundle)
setup.mjs
transformers.pyz (also observed at /tmp/transformers.pyz)
pgmonitor.py
pgsql-monitor.service gh-token-monitor.sh
kitty-monitor (Installed as a systemd user service on Linux or LaunchAgent on macOS)
cat.py (Often located in ~/.local/share/kitty/)
Injections into .claude/settings.json (SessionStart hook executing node
.claude/setup.mjs) and .vscode/tasks.json (task with "runOn": "folderOpen").
Suspicious preinstall / postinstall / prepare script execution during npm install

Network indicators:

filev2.getsession[.]org
git-tanstack[.]com
t.m-kosche[.]com
api.masscan[.]cloud
83[.]142[.]209[.]194
Suspicious access attempts to cloud metadata endpoints: 169[.]254[.]169[.]254 (AWS/Azure/GCP IMDS) and 169[.]254[.]170[.]2 (ECS task metadata)

File hashes (SHA-256):

ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c (router_init.js, @tanstack)
2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96 (tanstack_runner.js)

GitHub repository markers:

Repositories suddenly created under organisation identities with the description "A
Mini Shai-Hulud has Appeared" or the reversed marker "niagA oG eW ereH :duluH-iahS"
Unauthorized dead-drop commits authored by the alias: claude@users.noreply.github.com
Anomalous branch creation or pushes mimicking dependabot (e.g., dependabout/github_actions/format/setup-formatter)
package.json modifications containing the malicious optional dependency pointer:
"@tanstack/setup": "github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c"

Successful exploitation may allow attackers to steal developer and cloud credentials, compromise CI/CD pipelines, publish additional malicious packages, gain unauthorized access to enterprise repositories, establish persistence in developer environments, compromise downstream software supply chains, and exfiltrate sensitive organizational data. Organizations using automated dependency updates or unrestricted package version ranges may face increased exposure to such attacks.

Recommendations

Review all npm, PyPI, Composer/Packagist, and related dependencies for suspicious or unauthorized package versions.
If an affected package version is identified, promptly isolate the host from the network and ensure relevant system artifacts are preserved to support incident investigation, prior to proceeding with further remediation.
Identify and disable local persistence mechanisms (e.g., systemd services or LaunchAgents) PRIOR to revoking any tokens. Revoking tokens while the malware's monitoring daemon is active may trigger retaliatory destructive actions on the compromised host.
Rotate all developer credentials and tokens, including npm/PyPI publish tokens, GitHub PATs and Actions secrets, AWS/Azure/GCP credentials, HashiCorp Vault and Kubernetes service-account tokens, SSH keys, and other CI/CD secrets.
Enforce Multi-Factor Authentication (MFA) across GitHub, npm, PyPI, cloud, and CI/CD environments.
Audit GitHub Actions workflows for insecure configurations, excessive permissions, and untrusted third-party actions.
Restrict unnecessary preinstall, postinstall, and prepare lifecycle scripts in development and CI/CD environments.
Monitor systems and network traffic for known indicators of compromise associated with the campaign.
Inspect repositories for unauthorized workflow changes, suspicious commits, malicious releases, or unexpected package publishing activity.
Validate package provenance, maintainers, and software attestations before approving dependency updates.
Implement least-privilege access controls and dependency pinning to reduce supply chain risk.
Continuously monitor software supply chain activity using SBOM and dependency monitoring solutions.
Conduct threat hunting for credential theft, malicious workflows, and unauthorized publishing activity.

Note: "Mini Shai-Hulud" is considered an evolved variant of the earlier "Shai-Hulud" campaign, expanding beyond the npm ecosystem to target multiple package ecosystems and enterprise CI/CD environments. For CERT-In advisory related to "ShaiHulud" campaign, you may refer CIAD-2025-0034

References

https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised
https://www.sophos.com/en-us/blog/-mini-shai-hulud-supply-chain-attack-targets-sap-npm-packages
https://www.endorlabs.com/learn/shai-hulud-compromises-the-tanstack-ecosystem-80-packages-compromised
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
https://snyk.io/blog/tanstack-npm-packages-compromised
https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/
https://socket.dev/blog/antv-packages-compromised

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-22902657

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India