TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply-Chain Attack

What Happened

A malicious campaign called 'Mini Shai-Hulud' has infected dozens of popular software packages, including TanStack and Mistral AI, which are downloaded millions of times a week. Developers and automated systems that download these compromised packages are at risk of having their passwords, security tokens, and cloud access keys stolen. This matters because the malware can automatically spread itself to other projects and hide its stolen data in encrypted messaging traffic. Organizations should immediately check their systems for the malicious files, rotate any potentially exposed passwords or tokens, and block the attacker's network addresses.

Key Takeaways

• Over 84 npm packages, including highly downloaded TanStack, Mistral AI, and OpenSearch packages, were compromised in a supply-chain attack.
• The malicious payload is a 2.3MB obfuscated worm that targets CI/CD environments to harvest credentials from GitHub Actions, AWS, HashiCorp Vault, and Kubernetes.
• The malware autonomously propagates by stealing npm OIDC tokens to publish itself and uses GitHub GraphQL to commit malicious code to repositories.
• Exfiltration of stolen credentials is routed through the Session decentralized P2P network to blend in with encrypted messaging traffic.
• Persistence is achieved on developer workstations by modifying Claude Code hooks and VS Code task configurations.

Affected Systems

• npm ecosystem
• PyPI ecosystem
• GitHub Actions CI environments
• AWS (IMDS, Secrets Manager, SSM)
• HashiCorp Vault
• Kubernetes clusters
• Developer workstations (VS Code, Claude Code)

Vulnerabilities (CVEs)

• GitHub Actions pull_request_target 'Pwn Request' pattern
• GitHub Actions cache poisoning

Attack Chain

The attack begins when a victim installs a compromised npm or PyPI package containing a malicious lifecycle hook or import execution. The payload daemonizes itself to run in the background and establishes persistence by modifying developer tool configurations like VS Code tasks and Claude Code hooks. It then profiles the environment and systematically harvests credentials from GitHub Actions, AWS metadata services, Kubernetes service accounts, and HashiCorp Vault. Finally, the malware exfiltrates the stolen secrets via the Session P2P network and uses stolen OIDC tokens to autonomously publish itself to other packages and repositories.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules (YARA, Sigma, etc.) are provided in the article, though file hashes and network IOCs are available for custom rule creation.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can observe Node.js or Python spawning detached child processes and modifying sensitive developer configuration files (.vscode/tasks.json), but the heavy obfuscation limits static analysis. Network Visibility: Medium — Traffic to the Session P2P network (filev2.getsession.org) is highly anomalous for CI/CD environments, though it mimics legitimate encrypted messaging traffic. Detection Difficulty: Moderate — The malware uses heavy obfuscation and routes traffic through a decentralized network, but its behavioral footprint (accessing IMDS, writing to specific dotfiles, spawning detached processes) is distinct.

Required Log Sources

• Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
• File Modification Logs
• DNS Query Logs
• CloudTrail / AWS API Logs
• GitHub Audit Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Node.js or Python processes spawning detached child processes with redirected standard I/O in CI environments.	Process creation and command-line logs	Execution	Low
Unexpected modifications to .claude/settings.json or .vscode/tasks.json by package managers (npm, pip, bun).	File integrity monitoring or EDR file modification events	Persistence	Low
CI/CD runners or developer workstations making DNS requests to getsession.org or establishing connections to Session P2P nodes.	DNS logs and network flow data	Exfiltration	Low
Node.js or Python processes making HTTP requests to the AWS IMDSv2 endpoint (169.254.169.254) outside of expected SDK usage.	Network flow logs or host-based firewall logs	Credential Access	Medium

Control Gaps

• Lack of egress filtering in CI/CD environments allowing connections to arbitrary P2P networks.
• Over-permissive OIDC token scopes in GitHub Actions workflows.
• Implicit trust in Sigstore provenance badges without verifying the underlying code.

Key Behavioral Indicators

• Process tree showing package managers spawning detached scripts.
• File writes to .claude/ or .vscode/ directories originating from package installation paths.
• Network connections to filev2.getsession.org from build servers.

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Run 'shasum -a 256' on all router_init.js files in dependency trees and match against known malicious hashes.
• Rotate all secrets immediately on any system that installed an affected package (npm tokens, GitHub PATs, AWS credentials, Vault tokens, K8s tokens).
• Revoke GitHub Actions OIDC federation grants for any npm package published from affected repositories.
• Audit .claude/ and .vscode/ directories in developer home directories and remove unfamiliar entries.

Infrastructure Hardening

• Block egress to filev2.getsession.org and related Session infrastructure at the perimeter.
• Restrict OIDC token scopes in GitHub Actions workflows by setting 'permissions: id-token: none' where not explicitly needed.
• Implement Subresource Integrity or package lock verification with pinned integrity fields.

User Protection

• Ensure developers are aware of the risks of executing lifecycle hooks during package installation.
• Monitor developer workstations for unexpected modifications to IDE configuration files.

Security Awareness

• Educate engineering teams that Sigstore provenance badges alone do not guarantee a package is non-malicious, as compromised CI pipelines can generate valid attestations.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1552.005 - Unsecured Credentials: Cloud Instance Metadata API
• T1552.007 - Unsecured Credentials: Container API
• T1090.003 - Proxy: Multi-hop Proxy
• T1546 - Event Triggered Execution
• T1059.007 - Command and Scripting Interpreter: JavaScript

Additional IOCs

• Domains:
  • filev2[.]getsession[.]org - Session P2P network domain used for exfiltration
• Urls:
  • hxxps://npms[.]io/search?q=ponyfill - Network connectivity and dependency check performed by the malware
• File Hashes:
  • 12ed9a3c1f73617aefdb740480695c04405d7b4b (SHA1) - router_init.js / router_runtime.js
  • 833fd59ebe66a4449982c6d18db656b4 (MD5) - router_init.js / router_runtime.js
  • e7d582b98ca80690883175470e96f703ef6dc497 (SHA1) - tanstack_runner.js
  • b82e54923f7e440664d2d75bd31588ca (MD5) - tanstack_runner.js
• File Paths:
  • .claude/settings.json - Modified by malware to establish persistence via Claude Code hooks
  • .vscode/tasks.json - Modified by malware to establish persistence via VS Code tasks
  • /tmp/transformers.pyz - Location where the malicious Python artifact is dropped
  • /var/run/secrets/kubernetes.io/serviceaccount/token - Targeted Kubernetes service account token path
• Command Lines:
  • Purpose: Execute malicious payload via npm lifecycle hook | Tools: bun, npm | Stage: Execution | bun run tanstack_runner.js
  • Purpose: Execute downloaded malicious Python artifact | Tools: python3 | Stage: Execution | python3 /tmp/transformers.pyz