A rapidly expanding malware campaign dubbed Mini Shai-Hulud is compromising trusted software publishing pipelines across npm and PyPI ecosystems, infecting widely used open-source packages tied to projects including TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI.
Security researchers say the campaign represents a major evolution in software supply-chain attacks because the malware allegedly abused legitimate CI/CD infrastructure and trusted publishing workflows instead of relying solely on stolen maintainer credentials or fake packages.
The incident has been linked by multiple researchers to TeamPCP, a threat actor previously associated with cloud-focused supply-chain compromises and attacks targeting developer infrastructure.
Researchers from Snyk, Socket, Wiz, and StepSecurity described the malware as worm-like due to its ability to propagate through compromised software publishing environments and trusted maintainer ecosystems.
Trusted publishing became the attack vector
One of the most significant aspects of the campaign is that some malicious package releases reportedly carried valid provenance attestations generated through legitimate GitHub Actions workflows.
Rather than directly stealing npm passwords in every case, attackers allegedly hijacked active CI runners and inherited the publishing authority of legitimate repositories in real time.
Because the malicious releases originated from trusted build environments, downstream users and automated dependency systems could interpret the packages as authentic and properly signed.
Researchers stressed that the provenance systems themselves did not fail. Instead, attackers reportedly compromised the software delivery pipeline before the signing process occurred.
That effectively turned trusted CI/CD infrastructure into the malware distribution mechanism itself.
The campaign reportedly abused GitHub OIDC federation and modern trusted publishing workflows increasingly used to replace long-lived npm access tokens.
According to published analyses, the attack chain involved abuse of pull_request_target GitHub Actions workflows, cache poisoning techniques, OIDC token extraction from runners, and automated malicious package publication through legitimate pipelines.
The incident is already drawing comparisons to earlier supply-chain attacks previously covered by BreachNews, including the Axios JavaScript library compromise and the Bitwarden CLI supply-chain attack tied to TeamPCP activity.
Malware targeted cloud credentials and developer systems
Researchers say the malware payload focused heavily on credential theft, persistence, and CI/CD compromise.
Observed capabilities reportedly included:
- AWS, Azure, and GCP credential theft
- GitHub and npm token harvesting
- Kubernetes and Docker configuration theft
- SSH key collection
- Crypto wallet targeting
- Persistence inside developer tooling environments
- Automated republishing of trojanized packages
The malware allegedly used heavily obfuscated JavaScript embedded inside package lifecycle execution paths. Some variants reportedly leveraged the Bun runtime to rapidly enumerate secrets and credentials stored on infected systems.
Researchers also observed persistence mechanisms targeting developer tooling directories such as .vscode and AI coding assistant configurations.
One reported wave allegedly modified .claude/settings.json files to maintain persistence within AI-assisted development environments, expanding the attack surface into emerging developer tooling ecosystems.
BreachNews previously covered related exposure involving Anthropic development tooling in the Claude Code source exposure incident.
Attack spread through ecosystem trust relationships
Unlike traditional worms that spread through network exploitation, Mini Shai-Hulud allegedly propagated through software publishing trust relationships and automated release systems.
Researchers said compromised environments could search for valid npm tokens, enumerate associated repositories, and automatically publish malicious package versions into additional maintainer ecosystems.
Public reporting identified approximately 169 affected packages across the latest wave, though estimates vary depending on methodology and campaign scope.
Several compromised packages reportedly sat deep inside enterprise dependency chains with millions of weekly downloads, significantly increasing downstream exposure risk.
TanStack React Router alone reportedly accounts for more than 12 million weekly downloads, meaning even short-lived malicious releases could potentially impact large numbers of enterprise development environments.
Security researchers warned that organizations relying exclusively on provenance validation and trusted publishing protections may have falsely assumed the malicious packages were safe because the builds originated from legitimate CI/CD pipelines.
Researchers warn supply-chain trust models are breaking down
The campaign is increasingly being viewed as a major warning sign for modern software supply-chain security models.
Security experts say the incident demonstrates that provenance validation alone cannot guarantee software integrity if attackers compromise the trusted build environment itself.
Researchers are advising organizations to immediately rotate credentials exposed to affected environments, audit GitHub Actions workflows, revoke compromised OIDC trust relationships, and temporarily slow automated dependency adoption until impacted packages are fully identified.
Additional recommendations include reducing GitHub Actions token scopes, isolating CI runners, pinning actions to immutable SHAs, and monitoring for anomalous publishing behavior even when packages carry valid signatures.
The full downstream impact of the campaign remains unclear, and widespread enterprise compromise tied to the malicious packages has not yet been publicly confirmed.
