Mini Shai-Hulud: TanStack, OpenAI, and the npm Supply Chain Trap

The latest supply chain campaign didn't just compromise open-source registries. It hijacked the release pipeline inside one of the most security-conscious organizations in the world, and the entry point was a routine npm dependency install.

On May 11, 2026, threat group TeamPCP executed the fourth wave of its Shai-Hulud worm campaign, now tracked as Mini Shai-Hulud. The attack compromised 84 malicious package versions across 42 TanStack packages in the npm registry in a six-minute window, eventually expanding to more than 170 packages across npm and PyPI (Python Package Index) source code registries, including namespaces belonging to Mistral AI, UiPath, and OpenSearch. At least one affected package, @tanstack/react-router, receives approximately 12 million weekly downloads.

This is the fourth wave in an escalating campaign. Prior waves include the initial npm compromise (Shai-Hulud 1.0) and the 2.0 wave targeting GitHub credentials.

OpenAI disclosed this week that two employee devices were compromised. No user data, production systems, or IP were impacted, but containment required isolating systems, rotating credentials, engaging external forensics, and a full rotation of code-signing certificates across macOS, Windows, iOS, and Android triggered by a single dependency install.

• Attack date: May 11, 2026

• Packages compromised: 84 malicious versions across 42 @tanstack/* packages; 170+ total across npm and PyPI registries

• CVE: CVE-2026-45321, CVSS score 9.6 (Critical)

• Attribution: TeamPCP (also tracked as PCPcat, UNC6780)

• Mechanism: Three chained GitHub Actions vulnerabilities - Pwn Request, cache poisoning, OIDC (OpenID Connect) token extraction from runner process memory

• Notable victim: OpenAI - two employee devices compromised; exposed secrets including code-signing certificates for macOS, iOS, Windows, and Android exfiltrated from internal source code repositories

• Prior waves: Shai-Hulud 1.0 (September 2025), 2.0 (November 2025), and 3.0 (December 2025)

• Impact: Compromised dev and CI/CD environments, maintainer accounts and packages taken over, and SLSA provenance and signed builds no longer “safe by default”

• Key risks: Malicious packages that pass SLSA (Supply-chain Levels for Software Artifacts) Build Level three provenance attestation

Mini Shai-Hulud Wave Four is the most technically sophisticated iteration of this campaign to date. Where prior waves relied on compromised maintainer accounts to publish malicious packages directly, Wave Four chained three GitHub Actions vulnerabilities to hijack the legitimate release pipeline itself.

The attack sequence:

1. Fork and disguise: The attacker forked the TanStack/router repository, renaming it to zblgg/configuration so it wouldn’t show up as an obvious fork in Gitub’s fork list views.
2. Trigger the workflow: A pull request was opened that triggered a pull_request_target workflow - the "Pwn Request" pattern that grants workflow access to forked code
3. Poison the cache: The attacker's fork code wrote a poisoned 1.1 GB pnpm-store entry into the GitHub Actions cache, keyed so the release workflow would later restore it
4. Hide the tracks: The malicious pull request was then force-pushed to a no-operation state and closed to obscure evidence of the compromise
5. Wait for the trigger: When legitimate TanStack maintainers merged unrelated pull requests to main, the release workflow triggered and restored the poisoned cache
6. Steal the token: Attacker-controlled binaries read /proc/<pid>/mem of the Runner.Worker process to extract the OIDC token minted for npm trusted publishing
7. Publish through the pipeline: Those tokens were used to publish 84 malicious package versions to the npm registry through TanStack's own legitimate release pipeline.
8. The result: packages carrying valid SLSA Build Level three provenance attestations, valid Sigstore attestations, and legitimate GitHub Actions signatures, produced by the legitimate release pipeline, containing credential-stealing malware. As TanStack confirmed in their postmortem, from a developer's perspective the packages appeared cryptographically authentic, with no visible indication of compromise.

Secrets Were Exposed: The malware payload exfiltrated exposed secrets - credentials and tokens that were actively accessible on the compromised systems - via three redundant channels: a typosquat domain (git-tanstack[.]com), the decentralized Session messenger network, and GitHub API dead drops using stolen tokens. Targeted credentials included GitHub tokens, cloud secrets from AWS, GCP, and Azure, CI/CD authentication material, Kubernetes credentials, HashiCorp Vault tokens, and SSH keys.

On developer machines, the malware installed a persistent gh-token-monitor daemon (via macOS LaunchAgent or Linux systemd) that polled GitHub every 60 seconds. On receiving a 40X error from token revocation, the daemon attempted to run rm -rf ~/ wiping the user's home directory. The daemon exited automatically after 24 hours.

OpenAI's disclosure is precise about what was exfiltrated: limited credential material from a subset of internal source code repositories accessible to the two compromised employees, including code-signing certificates for macOS, iOS, Windows, and Android products. OpenAI confirmed no evidence those certificates were used to sign malicious software, but is rotating all of them precautionarily and requiring macOS users to update their applications before June 12, 2026, after which apps signed with the old certificates may stop functioning.

There is a second detail in OpenAI's disclosure that deserves attention. The two compromised devices had not yet received updated package management configurations, including controls like minimum release age checks and package provenance validation, that were being rolled out across the organization's environment. The attack landed during that rollout window.

This describes a real and common gap. Security controls are deployed incrementally. During any phased rollout, a subset of systems carries greater exposure. TeamPCP's campaign ran continuously across weeks, publishing malicious packages into registries and waiting for them to be installed. The timing was not coincidental.

For any organization that may have installed affected packages during the Mini Shai-Hulud window:

1. Check for the gh-token-monitor daemon before revoking tokens: isolate and image affected systems first; premature revocation triggers the wipe payload.
2. Rotate exposed secrets: GitHub PATs, npm tokens, SSH keys, and cloud credentials for any developer or pipeline that installed packages during the affected window; enable MFA.
3. Remove compromised packages: clear npm cache and node_modules; pin to package versions published after May 12, 2026.
4. Audit GitHub Actions and CI/CD workflows: look for unexpected publish events, new workflows, or outbound connections to unfamiliar endpoints.
5. Harden pipelines: restrict lifecycle scripts, limit outbound network access, and minimize token scope.
6. Pair provenance checks with content inspection: valid provenance indicates pipeline origin, not pipeline integrity; use malware scanning alongside attestation verification.