Mini Shai-Hulud: The Worm Returns and Goes Public
The TeamPCP threat actor deployed the Mini Shai-Hulud worm in a sophisticated supply chain attack targeting the npm ecosystem via a GitHub Actions CI cache-poisoning technique. The malware steals credentials, establishes persistence via developer tools like VS Code and Claude Code, and features a destructive dead man switch that wipes the victim's home directory if access tokens are revoked.
Authors: Akamai Security Intelligence Group
Source:
Akamai
- domaingit-tanstack[.]comPrimary C2 server domain used by the Mini Shai-Hulud worm for exfiltrating encrypted credentials.
- filename.claude/setup.mjsMalicious script dropped to establish persistence via Claude Code session hooks.
- filename.vscode/setup.mjsMalicious script dropped to establish persistence via VS Code task automation.
- filenamepackages/opensearch_init.jsMalware copy location injected into npm packages during the spreading phase.
Detection / HunterGoogle
What Happened
A hacking group known as TeamPCP launched a cyberattack against software developers using a malicious program called Mini Shai-Hulud. The attack compromised the npm software registry by exploiting a flaw in how code is tested and built, allowing the hackers to steal sensitive passwords and access tokens. This is highly dangerous because the malware includes a 'dead man switch' that deletes all files on a victim's computer if it detects its access has been cut off. Organizations should immediately check their software building environments for compromised packages and isolate affected systems.
Key Takeaways
- TeamPCP launched a new supply chain attack using the Mini Shai-Hulud worm targeting the npm ecosystem via TanStack.
- The attack leveraged a GitHub Actions CI cache-poisoning vulnerability to steal tokens from runner memory.
- The malware features a destructive dead man switch that wipes the victim's home directory if the stolen token is revoked.
- Persistence is achieved through Claude Code session hooks and VS Code task automation.
- The fully weaponized worm code was publicly released on May 12, 2026, increasing the risk of copycat attacks.
Affected Systems
- npm ecosystem
- GitHub Actions CI/CD environments
- TanStack
- Mistral AI
- UiPath
- OpenSearch
- Linux
- Windows
- macOS
Attack Chain
The attack begins with a pull request that exploits a misconfiguration in GitHub Actions CI to poison the cache. When a legitimate maintainer merges code, the poisoned cache executes, allowing the worm to scrape tokens from the runner's memory and exchange them for npm publish credentials. The malware establishes persistence via VS Code and Claude Code hooks, communicates with a C2 server to exfiltrate harvested credentials, and attempts to inject itself into other packages. If the stolen token is revoked, a dead man switch triggers a destructive wipe of the victim's home directory.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article provides code snippets and behavioral descriptions but does not include ready-to-use detection rules such as YARA or Sigma.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can detect the destructive 'rm -rf' command and unusual file modifications in .vscode or .claude directories, but CI/CD runner memory scraping may bypass traditional endpoint telemetry. Network Visibility: Medium — Network monitoring can detect traffic to the known C2 domain (git-tanstack.com) and anomalous GitHub API usage, though traffic is encrypted. Detection Difficulty: Hard — The attack leverages legitimate CI/CD workflows, abuses OIDC token exchanges, and uses valid GitHub/npm infrastructure for propagation, making it difficult to distinguish from normal developer activity.
Required Log Sources
- Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
- File Creation Logs (Sysmon Event ID 11)
- Network Connection Logs
- CI/CD Audit Logs (GitHub Actions)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
Consider hunting for unexpected modifications or creations of .vscode/setup.mjs or .claude/setup.mjs files in developer environments, which may indicate persistence attempts. | File Creation Logs | Persistence | Low |
| If you have visibility into CI/CD pipelines, consider hunting for unauthorized cache modifications or unusual token access patterns in GitHub Actions runners. | CI/CD Audit Logs | Initial Access / Credential Access | Medium |
Consider hunting for the execution of rm -rf ~/ originating from background daemons or Node.js processes, which may indicate the dead man switch triggering. | Process Creation Logs | Impact | Low |
| Consider hunting for automated creation of GitHub repositories containing encrypted blobs, which the malware uses as a fallback C2 mechanism. | GitHub Audit Logs | Command and Control | Medium |
Control Gaps
- CI/CD pipeline cache isolation
- Token scope restriction in GitHub Actions
- Developer workstation EDR coverage for Node.js spawned shells
Key Behavioral Indicators
- Node.js processes reading multiple sensitive credential files in rapid succession
- Creation of opensearch_init.js in package directories
- Node.js processes executing 'rm -rf'
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Identify and downgrade any infected npm packages (such as those in the TanStack dependency tree) to known safe versions.
- Audit GitHub Actions workflows for pull request misconfigurations that allow write access to base repository caches.
- Rotate all potentially exposed credentials, including npm tokens, AWS keys, and Kubernetes secrets, but be prepared for the dead man switch activation on infected hosts.
Infrastructure Hardening
- Evaluate whether network segmentation can be applied to CI/CD runners to limit their access to internal networks and sensitive endpoints.
- Consider enforcing strict least-privilege access for GitHub Actions tokens and restricting OIDC token exchange permissions.
- Implement cache isolation in CI/CD pipelines to prevent cross-branch or fork-based cache poisoning.
User Protection
- If supported by your tooling, monitor developer workstations for unauthorized modifications to IDE configuration files (e.g., VS Code, Claude Code).
- Consider implementing endpoint protection rules to block or alert on destructive commands like 'rm -rf ~/' executed by non-interactive processes.
Security Awareness
- Educate developers on the risks of supply chain attacks and the importance of verifying the integrity of third-party dependencies.
- Train engineering teams on secure CI/CD practices, specifically regarding the handling of untrusted code in pull requests.
MITRE ATT&CK Mapping
- T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
- T1552.004 - Unsecured Credentials: Private Keys
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1485 - Data Destruction
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1071.001 - Application Layer Protocol: Web Protocols
- T1505 - Server Software Component
Additional IOCs
- Domains:
git-tanstack[.]com- Primary C2 server domain
- File Paths:
packages/opensearch_init.js- Malware copy location for npm packages.claude/settings.json- Modified configuration file for Claude Code persistence.claude/setup.mjs- Persistence script for Claude Code.vscode/tasks.json- Modified configuration file for VS Code persistence.vscode/setup.mjs- Persistence script for VS Code
- Command Lines:
- Purpose: Dead man switch payload designed to wipe the victim's home directory if the stolen token is revoked. | Tools:
rm| Stage: Impact/Destruction |rm -rf ~/
- Purpose: Dead man switch payload designed to wipe the victim's home directory if the stolen token is revoked. | Tools: