Listen to this Post
Introduction: A New Era of Supply Chain Exploitation Across Open Source Ecosystems
A highly sophisticated supply chain attack campaign known as Mini Shai-Hulud has emerged, attributed to the threat actor TeamPCP. The operation has infiltrated widely used npm and PyPI packages tied to major ecosystems including AI tooling, cloud services, and developer infrastructure. By embedding obfuscated malware into legitimate packages, the attackers have escalated software supply chain threats to a new level of automation, persistence, and stealth. The campaign demonstrates how deeply integrated CI/CD systems, GitHub workflows, and package registries can be weaponized to distribute credential-stealing malware at scale.
the Attack Campaign and Its Technical Execution
The Mini Shai-Hulud campaign has compromised multiple npm and PyPI packages, including those from TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and other developers. Attackers injected an obfuscated JavaScript file named router_init.js into affected npm packages. This script profiles system environments and launches a credential stealer targeting cloud platforms, cryptocurrency wallets, AI development tools, messaging apps, and CI/CD systems such as GitHub Actions and security scanning tools. Data exfiltration is routed to a domain using Session Protocol infrastructure (filev2.getsession[.]org) to avoid detection in enterprise environments. As a fallback, stolen data is pushed to attacker-controlled GitHub repositories using compromised tokens under a deceptive author identity. Persistence mechanisms were also deployed inside development environments like Claude Code and Visual Studio Code, ensuring malware execution every time the IDE launches. Additional components include a GitHub token monitoring service and malicious GitHub Actions workflows designed to extract repository secrets and send them to external servers. TanStack confirmed the breach originated from a chained GitHub Actions exploitation involving pull_request_target misuse, cache poisoning, and OIDC token extraction from runners. The attackers then reused legitimate CI pipelines to publish malicious versions with valid SLSA provenance. The worm-like propagation mechanism allowed attackers to reuse stolen tokens with bypassed 2FA, enumerate maintainer packages, and spread across multiple projects. The vulnerability has been assigned CVE-2026-45321 with a critical CVSS score of 9.6, affecting dozens of packages and versions across ecosystems. Additional infections were confirmed in PyPI packages such as guardrails-ai, mistralai, and multiple OpenSearch and Squawk modules. Some payloads included geofencing logic to avoid Russian environments and even destructive code paths under specific regional conditions. The campaign represents one of the most advanced and self-propagating supply chain worms ever observed.
What Undercode Say:
A New Evolution of Supply Chain Warfare
The attack is not a simple credential theft operation; it represents a structural evolution in software supply chain warfare. By embedding malicious logic into CI/CD pipelines, attackers bypass traditional security boundaries that assume trusted build systems are safe by default.
Exploitation of Trust in GitHub Actions and OIDC
The abuse of GitHub Actions, particularly OIDC token exchanges, highlights a critical blind spot in modern DevSecOps architectures. Attackers are no longer breaking authentication—they are borrowing legitimacy from it.
Persistence Beyond Traditional Malware Models
The injection of persistence hooks into IDEs like VS Code and Claude Code shows a shift toward developer-centric persistence. Instead of targeting servers alone, attackers now embed themselves into developer workflows.
Multi-Layered Exfiltration Strategy
Using Session Protocol infrastructure alongside GitHub GraphQL APIs creates redundant exfiltration channels. This ensures data leakage continues even if one channel is detected or blocked.
Supply Chain Worm Behavior and Self-Replication
The worm’s ability to identify maintainers, extract tokens, and propagate across packages introduces near-autonomous replication. This reduces attacker workload while maximizing spread efficiency.
Bypassing 2FA Through Token Reuse
A critical design flaw exploited here is the reuse of publish tokens with bypass_2fa flags, effectively neutralizing one of the strongest authentication protections in npm ecosystems.
CI/CD as the New Attack Surface
Instead of endpoint exploitation, attackers focus on pipelines themselves. GitHub Actions becomes both the entry point and the distribution channel, collapsing trust boundaries.
Valid SLSA Provenance as a False Shield
One of the most alarming aspects is that malicious packages carried valid SLSA Level 3 attestations. This breaks the assumption that provenance guarantees safety.
Cross-Ecosystem Contamination (npm + PyPI)
The simultaneous compromise of npm and PyPI demonstrates that attackers are no longer platform-specific. Instead, they are targeting developer ecosystems broadly.
Geofencing and Conditional Payload Logic
The inclusion of location-aware destructive logic shows a level of operational sophistication typically seen in state-aligned malware.
AI and Developer Tooling as Primary Targets
AI frameworks and developer tools are heavily targeted, indicating attackers prioritize high-value infrastructure over consumer systems.
Long-Term Ecosystem Impact
This incident will likely force a redesign of trust assumptions in package registries, CI/CD workflows, and identity-based authentication systems.
🔍 Fact Checker Results
✔ Supply Chain Breach Confirmed
The compromise of npm and PyPI packages across multiple ecosystems has been independently verified by multiple security researchers.
✔ CVE-2026-45321 Assigned
The vulnerability has been officially cataloged with a critical severity rating of 9.6 CVSS.
✔ Multi-Platform Infection Verified
Infections affecting both npm and PyPI ecosystems have been confirmed, including AI and enterprise tooling packages.
📊 Prediction
The next phase of this campaign is likely to involve deeper automation of token harvesting and expanded self-replication across additional package ecosystems. Future variants may further weaponize CI/CD trust chains, potentially introducing fully autonomous supply chain worms capable of propagating without direct attacker intervention. Security frameworks will likely shift toward runtime attestation and continuous verification models as static provenance proofs are no longer sufficient to guarantee package integrity.
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
