For most developers, the “green checkmark” of a verified build is the ultimate signal of trust. When a package carries a SLSA Build Level 3 attestation, it means the software has a verifiable provenance—a digital paper trail proving it was built on a secure platform and hasn’t been tampered with. It is the gold standard of supply-chain security.
But a sophisticated new campaign known as Shai-Hulud has turned that trust into a liability. By hijacking the extremely infrastructure used to sign these packages, a threat group identified as TeamPCP has managed to distribute credential-stealing malware that appears, for all intents and purposes, to be cryptographically authentic.
The attack has hit hundreds of packages across the Node Package Manager (npm) and the Python Package Index (PyPI), striking high-profile projects including TanStack and Mistral AI. Because the malicious versions were published through legitimate CI/CD pipelines, they carried valid signatures and Sigstore attestations, leaving developers with no immediate red flags to warn them that their environments were being compromised.
As a former software engineer, I find the most unsettling part of this campaign isn’t just the theft of secrets, but the precision of the execution. This wasn’t a simple case of password guessing or a leaked API key. it was a calculated exploitation of the modern DevOps pipeline, turning the tools designed to secure software into delivery mechanisms for malware.
The Anatomy of a Trusted Breach
The breach of the TanStack ecosystem provides a blueprint for how TeamPCP operated. According to a post-mortem report from TanStack, the attackers didn’t just find one hole; they chained three separate vulnerabilities to gain control of the release process. The sequence began with a risky pull_request-target workflow, which allowed the attackers to trigger actions in the main repository from a fork.
From there, the group utilized GitHub Actions cache poisoning to inject malicious code into the build environment. The final blow was the theft of OpenID Connect (OIDC) tokens directly from the runner’s memory. These tokens gave the attackers the authority to publish new package versions that the npm signing infrastructure recognized as legitimate.
One of the more subtle tricks involved the use of “orphaned commits.” Endor Labs discovered that attackers pushed a commit to a fork of the TanStack/router repository that didn’t belong to any specific branch. However, because of how GitHub handles shared fork object storage, the commit remained accessible. By referencing this orphaned commit via a malicious optional dependency, the attackers forced npm to fetch and execute their code during the installation process.
| Attack Phase | Method Used | Outcome |
|---|---|---|
| Initial Access | pull_request-target workflow |
Triggered unauthorized GitHub Actions |
| Escalation | Cache Poisoning & OIDC Theft | Gained legitimate publishing authority |
| Distribution | SLSA Level 3 Attestations | Malicious packages appeared authentic |
| Execution | Orphaned Git Commits | Automatic payload execution on install |
Beyond Theft: Geofencing and Sabotage
The primary goal of the Shai-Hulud campaign is the mass exfiltration of developer secrets. The malware is designed to scour a system for everything that grants access to a cloud environment: GitHub Personal Access Tokens (PATs), AWS IAM credentials, Kubernetes service account tokens, HashiCorp Vault tokens, and .env files. It even targets modern AI tooling, specifically seeking out Claude Code configurations and VS Code tasks.
To avoid detection by network security monitors, the malware exfiltrates this data using the Session P2P network. By masking the theft as encrypted messenger traffic, the attackers make it significantly harder for corporate firewalls to flag the activity as a data breach.
However, analysis by Microsoft Threat Intelligence reveals a more sinister side to the payload delivered via compromised Mistral AI packages on PyPI. The malware, disguised as transformers.pyz to impersonate the popular Hugging Face library, includes specific geofencing logic. It is programmed to remain dormant if it detects Russian language settings on the host machine.
More alarmingly, the malware contains a probabilistic sabotage routine targeting users in Israel and Iran. In these regions, there is a one-in-six chance that the malware will execute a recursive wipe command (rm -rf /), effectively destroying the host system. This shift from espionage to active destruction suggests that TeamPCP’s motivations may extend beyond financial gain into the realm of geopolitical conflict.
Persistence and the “Ghost” in the IDE
One of the most challenging aspects of the Shai-Hulud infection is its persistence. Standard remediation—such as uninstalling the compromised npm package—is insufficient. The malware writes itself into Claude Code hooks and VS Code auto-run tasks, ensuring that it remains active on the developer’s machine even after the offending library is removed.
The scale of the impact is vast. While numbers vary across security vendors, the consensus points to a widespread infection: Endor Labs reported over 160 compromised packages on npm, while Socket tracked up to 416 artifacts across both npm and PyPI. The campaign has expanded beyond TanStack and Mistral AI to include projects like Guardrails AI, UiPath, OpenSearch, the Bitwarden CLI, and official SAP packages.
How to Secure Your Environment
For developers and security teams, the lesson here is that cryptographic signatures are not a substitute for behavioral analysis. Snyk researchers emphasize that because the attack produces valid SLSA attestations, teams must implement a layer of behavioral monitoring at install time to catch anomalous activity.
If you have used TanStack or Mistral AI packages recently, security experts recommend the following immediate actions:
- Rotate All Credentials: Assume any GitHub, npm, AWS, or Vault tokens stored on the machine are compromised.
- Audit IDE Directories: Manually check for surviving malicious files, such as
router_runtime.jsorsetup.mjs, in your VS Code and Claude Code directories. - Block C2 Infrastructure: Block
api.masscan.cloud,git-tanstack.com, and*.getsession.orgat the DNS or proxy level. - Enforce Lockfiles: Use lockfile-only installs (e.g.,
npm ciinstead ofnpm install) to prevent the silent update of packages to malicious versions.
The Shai-Hulud campaign highlights a critical vulnerability in the modern software supply chain: the over-reliance on automated trust. As attackers move from stealing passwords to stealing the identity of the build process itself, the industry must move toward a “zero trust” model for dependencies.
Security researchers continue to monitor the TeamPCP group for new iterations of the campaign. The next major checkpoint for the community will be the release of updated SLSA guidelines and potential changes to how GitHub Actions handles OIDC tokens to prevent memory-based theft.
Do you use these packages in your workflow? Have you noticed unusual activity in your CI/CD logs? Share your experience in the comments or reach out to our tech desk.
