Mini Shai-Hulud: the campaign that exposes the fragility of the open source supply chain in npm, PyPI and GitHub Actions

The campaign known as Mini Shai-Hulud, attributed to actor TeamPCP, again highlights the fragility of the open source supply chain: legitimate packages in npm and PyPI used by projects such as TanStack, Mistral AI, OpenSearch and Guards AI were altered to include a malicious charger that not only steals credentials, but also attempts to persist and spread as a true worm within the package ecosystem and CI / CD.

The most worrying thing about this incident is the level of technical and tactical sophistication. The attackers used an affuscated JavaScript file ("router _ init.js") to shape environments and launch a credentials robber capable of removing secrets from cloud suppliers, cryptomoneda portfolios, IA tools, messaging and CI systems such as GitHub Actions. In addition, to avoid corporate filters, they exfiltered data to an infrastructure based on Session Protocol (domain filev2.getsession [.] org) and, as a backup plan, they were uploaded to GitHub repositories using stolen tokens under the identity "claude @ users.noreply.github.com."

The technical input vector was a chain of commitments in GitHub Actions: use of the trigger pull _ request _ target, Action Cache poisoning and extraction in time of execution of OIDC tokens from the run process. This allowed the attackers to publish malicious packages through the legitimate project pipeline with valid SLSA provenance tests, a rare and dangerous escalation that attacks precisely the confidence that SLSA seeks to guarantee. More information on how to harden GitHub Actions is available in official documentation: https: / / docs.github.com / en / actions / security-guides / security-hardening-for-github-actions and about SLSA in https: / / slsa.dev /.

The worm also demonstrated self-replication capacity: it located tokens of publication npm with the flag bypass _ 2fa = true, listed packages of the same maintainers and changed tokens OIDC to tokens per package to avoid traditional authentication. The result was the creation and spread of malicious versions with SLSA Build Level 3 appearing to be legitimate. The incident has received the CVE-2026-45321 identifier and a critical CVSS rating of 9.6, affecting dozens of packages and versions.

The samples detected include extreme behaviors and geofencing: Microsoft's analysis of the Mistral sample describes a download that avoids Russian-speaking environments and contains a destructive branch likely to run "rm -rf /" in certain countries, while the compromised guarrailsai package ran code at the time of import that it downloaded and executed a remote device without integrity checks. This illustrates not only the loss of secrets, but the real risk of irreversible damage to production systems.

For project managers affected or at risk, the response must be immediate and multifaceted: revoke and rotate all publication tokens and OIDC, to audit GitHub Actions' logs in search of forks with payloads, commitments and suspicious account uses (e.g. "claude @ users.noreply.github.com"), to revoke credentials with bypass _ 2fa and to disable or restrict the use of pull _ request _ target in workflows that make sensitive operations. It is crucial to verify the published artifacts and the supply chain: to rebuild, sign and verify hashes and package signatures before accepting them in production.

The security teams of consumer organisations should identify and mitigate commitments from units: audit transitional units, block compromised versions in managers (npm and PyPI), scan development environments and CI in search of processes that connect to suspicious domains such as filev2.getsession [.] org, api.masscan [.] cloud or git-tanstack.com, and review the developer machines and CI runners by persistencies in IDEs (extensions / integrations of VS Code and Claude Code) and services such as gh-token-monitor.

There are greater strategic implications: the campaign shows how confidence in building stations can be manipulated if legitimate workflows and OIDC tokens are exposed, so organizations should apply the principle of less privilege to CI identities, adopt short term tokens, enable conditional access policies and review the trust model for external forks and action caches. Operational and defence recommendations can be found in the GitHub Actions Hardening Guide mentioned above.

From a legal and governance perspective, managers should coordinate responsible disclosure with package records (npm / PyPI), GitHub and, where appropriate, regulatory authorities. Consumers should follow project instructions and safety repositories to update or withdraw affected versions, and record operational evidence before cleaning up compromised environments.

In short, this incident is not just another malicious package: it is a warning about how the combination of CI automation, high privilege tokens and confidence procedures can be exploited to introduce malware that spreads and persists. Mitigation requires technical changes (rotation of credentials, restrictions on workflows, review of permits), operational (continuous audits, exfiltration detection) and cultural (less implicit confidence in automations). Acting quickly and coordinating with suppliers and the community is the only way to limit the scope and prevent future similar campaigns.