Listen to this Post
Introduction
A large-scale software supply chain attack has emerged, targeting developers across the npm and PyPI ecosystems through compromised packages carrying stealth credential-stealing malware. The campaign, known as Shai-Hulud, demonstrates a new level of sophistication by abusing trusted CI/CD pipelines, valid security attestations, and identity tokens to make malicious packages appear fully legitimate. Even experienced developers are unlikely to detect the compromise, as the infected releases are signed, verified, and distributed through official channels.
Summary of the Original Incident
The Shai-Hulud supply chain campaign has compromised hundreds of packages across npm and PyPI, delivering advanced credential-stealing malware aimed at developers and CI/CD environments. The attackers reportedly hijacked valid OpenID Connect (OIDC) tokens to publish malicious package versions with legitimate provenance attestations compliant with SLSA Build Level 3 standards.
The operation is attributed to the threat group TeamPCP and initially began with the compromise of packages within the TanStack and Mistral AI ecosystems. It quickly expanded into other widely used projects including Guardrails AI, UiPath, OpenSearch, Bitwarden CLI, and SAP official packages.
Security researchers from StepSecurity observed that attackers used legitimate CI/CD workflows to publish malicious code, meaning the artifacts carried valid signatures issued by npm’s own infrastructure. This made detection extremely difficult, as the packages appeared fully authentic.
Multiple security firms have measured the scale of the breach differently, with Endor Labs identifying over 160 compromised packages, Aikido reporting 373 malicious versions, and Socket detecting 416 infected artifacts across npm and PyPI.
According to TanStack’s internal investigation, the attackers exploited a chain of vulnerabilities including unsafe GitHub Actions workflows using pull_request-target, cache poisoning in CI pipelines, and memory-based theft of OIDC tokens from runner environments.
The attackers released 84 malicious package versions across 42 TanStack repositories, all of which carried valid provenance signatures and Sigstore attestations tied to legitimate release pipelines.
Further analysis revealed that attackers used a technique involving orphaned Git commits stored in GitHub’s fork infrastructure. These commits were later referenced through malicious optional dependencies, forcing npm to execute attacker-controlled scripts during installation.
The malware itself is designed for deep credential harvesting. It targets GitHub tokens, npm authentication keys, AWS credentials, Kubernetes service accounts, HashiCorp Vault secrets, SSH keys, and even developer environment configurations such as VS Code tasks, Claude Code settings, and .env files.
StepSecurity reported that the malware scans memory and file paths across more than 100 locations to extract sensitive credentials. Exfiltration is handled through a peer-to-peer Session network, making traffic appear as encrypted messaging and complicating detection efforts.
Once executed, the malware establishes persistence by embedding itself into development tools and automation hooks, meaning removal of the package alone does not fully eliminate the infection.
The propagation mechanism remains consistent with earlier Shai-Hulud waves, leveraging stolen credentials to enumerate maintained packages, modify tarballs, inject payloads, and republish infected versions at scale.
SafeDep researchers confirmed that despite different initial entry points across Mistral AI and TanStack ecosystems, the same credential-stealing payload is reused throughout the campaign.
Security vendors including StepSecurity, Endor Labs, Aikido, Socket, and SafeDep have published lists of affected packages. Developers are strongly urged to audit dependencies, rotate credentials, and assume compromise if affected versions were installed.
Recommended mitigations include checking CI/CD environments, rotating all tokens, auditing IDE persistence mechanisms, and blocking known command-and-control domains such as api.masscan.cloud and .getsession.org.
Snyk researchers further emphasize that even SLSA Build Level 3 attestations can no longer be trusted blindly, as attackers have demonstrated the ability to generate valid provenance for malicious builds.
What Undercode Say:
The Shai-Hulud campaign represents a major shift in supply chain exploitation strategy
Instead of breaking infrastructure, attackers now abuse trust systems themselves
CI/CD pipelines are no longer just execution environments but attack vectors
The use of valid OIDC tokens shows deep targeting of developer identity systems
This is not a simple package injection attack, it is an identity compromise operation
The attackers rely on GitHub Actions memory exposure which is often overlooked
pull_request-target misuse remains one of the most dangerous CI/CD misconfigurations
Cache poisoning in workflows shows how build systems can be silently manipulated
The fact that SLSA Level 3 was bypassed is particularly concerning for enterprise security
It demonstrates that cryptographic trust does not guarantee behavioral safety
Sigstore signatures are valid but do not guarantee intent of code
This creates a false sense of security in modern supply chain frameworks
The orphaned commit technique is a clever abuse of distributed storage design
GitHub fork infrastructure unintentionally preserves attacker artifacts
Optional dependencies in npm become silent execution triggers
This reflects a broader issue in JavaScript ecosystem trust models
Attackers are shifting from endpoint malware to developer environment malware
Credential harvesting across 100+ paths shows extensive reconnaissance capability
Session P2P exfiltration is designed to blend into normal encrypted traffic
Persistence inside VS Code and Claude Code tools makes cleanup non-trivial
Even removing packages does not guarantee system integrity restoration
This implies incident response must include full developer workstation audits
The reuse of payloads across ecosystems suggests a modular malware architecture
Attackers prioritize scalability over custom targeting per ecosystem
npm and PyPI are effectively converging into a single attack surface
Cloud credentials are primary targets, especially AWS and Kubernetes tokens
This aligns with modern cloud-native infrastructure dependencies
The attack shows high automation maturity in propagation logic
Stolen CI/CD credentials act as self-replicating access keys
This reduces attacker need for fresh exploitation at each stage
Security tools relying only on signatures are insufficient
Behavioral detection during install time becomes essential
Lockfile-only installs reduce but do not eliminate exposure risk
Developers are now frontline security nodes in supply chain defense
The ecosystem needs runtime verification, not just build-time validation
Enterprise pipelines must treat package installs as executable code execution
Zero trust principles must extend into dependency management
This campaign signals a new era of stealthy, identity-driven supply chain warfare
Detection must shift from artifact trust to runtime behavior analysis
Fact Checker Results
✅ Confirmed widespread npm and PyPI compromise across multiple security vendors
❌ No evidence that SLSA Level 3 guarantees safety against malicious builds
⚠️ Attribution to TeamPCP and Shai-Hulud campaign is reported but still under active investigation
Prediction
The next wave of this campaign will likely focus on deeper CI/CD ecosystem takeover, including automated secret harvesting from cloud build environments and wider exploitation of GitHub Actions trust chains. Expect attackers to refine persistence mechanisms further, targeting developer IDE ecosystems and cloud-native credential stores with more automation and less detectable network behavior.
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
