Shai-Hulud exposes the weakness of the npm and PyPI supply chain by stealing credentials with apparent signatures

The campaign known as Shai-Hulud has hit the package ecosystem again: hundreds of npm and PyPI artifacts have been published with malicious code designed to steal credentials and spread among developer projects. The most disturbing thing is not only the volume, but the technique: the attackers took advantage of legitimate OpenID Connect (OIDC) tokens to sign and publish malicious versions with valid source attacks (SLSA Build Level 3), which makes the compromised parts look "cryptographically authentic." To understand the magnitude, it is enough to review research such as Endor Labs and analysis of Snyk, which document hundreds of compromised versions and artifacts and explain how the attackers chained crashes in CI / CD flows to upload malicious packages.

The attack, attributed to the TeamPCP group, began affecting ecosystems such as TanStack and Mistral AI and quickly extended to popular projects such as Guarrails AI, UiPath and OpenSearch, including reaching official packages such as some of SAP and the Bitwarden CLI. According to the TanStack post-mortem, the operators chained three vectors: an unsafe flow of pull _ request-target, GitHub Actions cache poisoning and the theft of OIDC tokens from the memory of the runners. In addition, they abused a trick with orphaned forks to force npm to download and run code controlled by the attacker by an optional unit.

These techniques have very clear consequences: when the CI pipeline publishes malicious packages with legitimate signatures and attacks, automatic confidence in provenance is no longer sufficient. Developers who installed affected versions must assume that their secrets may have been exfiltered. The detected malware sample extracts tokens and credentials (GitHub OIDC and PATs, tokens npm, AWS credentials, Vault secrets, Kubernetes service account tokens, SSH keys, .env files and IDE settings) reading the memory of known processes and files, and uses the Session P2P network to camouflage the exfiltration traffic, which complicates blocks and debubs.

In addition to stealing secrets, malware persists within the development environment: it writes hooks in tools like Claude Code and self-executable tasks in VS Code, so that uninstall the malicious package does not erase the infection. The operation is also self-propagated: with stolen credentials they modify tarbals, inject payloads and republish infected versions in the packages that the user keeps engaged.

In practical terms for equipment and security officials, the initial recommendation is clear: If you downloaded a affected version, treat it like a credentials leak.. You must immediately rotate all relevant tokens and secrets - including CI / CD tokens, tokens npm, cloud keys, Vault tokens and Kubernetes service accounts - and review CI logs and configurations to detect unauthorized publications. It is essential to audit the development and CI machines in search of persistent files or malicious hooks (e.g. files such as router _ runtime.js or setup.mjs that have survived facilities), and to remove any tasks or configuration of IDE that you do not recognize.

At the organizational level it is appropriate to review and tighten the CI / CD flows: avoid workflows that allow an unreliable request to run processes with publication permits, reduce the scope and duration of the OIDC tokens and use ephemeral credentials and with the minimum privilege. It is also recommended to force lockfile-only facilities to prevent silent automatic updates, and to complement the Provenance Verification (SLSA) with installation time behavior analysis and additional signatures that verify the building identity and route of the workflow, not just the signature of the artifact.

To mitigate similar campaigns in the future, it is necessary to implement technical and operational controls: to restrict the access of runners, to empty or ensure critical memory after sensitive executions, to disable caches that can be poisoned for publication actions, to use ephemeral runners and to automate the rotation of credentials after signs of exposure. At the network level, blocking at the DNS / proxy level the known command and control infrastructure associated with this campaign (e.g. domains documented by the analyses) may contain the exfiltration and communications of the attackers.

The security community has published lists and guides to identify affected versions and clean up environments: in addition to the above-mentioned research notes, it reviews the TanStack's own warnings and security providers that have tracked the committed artifacts. See TanStack's report for details of the exploited flow and published versions, and follow operational recommendations for response and rotation of credentials. Avoid complacency against valid attacks and combine identity controls, dynamic analysis and good practice in CI will be key to reducing the exposure window to this type of supply chain campaigns.