A new wave of the Shai-Hulud supply-chain campaign has compromised hundreds of packages across npm and PyPI, distributing credential-stealing malware aimed at developers and CI/CD environments.
Security researchers attribute the campaign to the TeamPCP threat group, which abused stolen OpenID Connect (OIDC) tokens to publish malicious package updates through legitimate release pipelines. The attackers were able to generate valid SLSA Build Level 3 provenance attestations, making the infected packages appear authentic and cryptographically verified.
The latest wave began with the compromise of dozens of TanStack and Mistral AI packages before spreading to projects linked to Guardrails AI, UiPath, OpenSearch, Bitwarden CLI, and official SAP packages.
Researchers say the campaign has evolved since first emerging in September, with earlier versions exposing large volumes of developer secrets through automated GitHub repositories.
According to TanStack’s post-mortem report, the attackers chained together three weaknesses, including a dangerous pull_request_target GitHub Actions workflow, cache poisoning in GitHub Actions, and theft of OIDC tokens from runner memory. The attackers published 84 malicious versions across 42 TanStack packages, all carrying valid Sigstore attestations and legitimate GitHub Actions signatures.
Security firm StepSecurity said the infected packages were published through the legitimate TanStack/router release workflow, complete with valid provenance issued by npm’s signing systems.
Attackers also exploited an orphaned commit hidden in a fork of the TanStack/router repository. The commit was referenced through a malicious optional dependency, causing npm to automatically retrieve and execute attacker-controlled code during installation.
Once executed, the malware scanned GitHub Actions runner memory and harvested credentials from more than 100 locations linked to cloud providers, cryptocurrency wallets, developer tools, and messaging applications. Exfiltration occurred over the encrypted Session peer-to-peer messaging network, helping the attackers evade traditional monitoring and takedown efforts.
Researchers warn the malware establishes persistence by embedding itself into Claude Code hooks and VS Code auto-run tasks, allowing it to survive even after malicious packages are removed.
Security firms tracking the campaign reported varying counts of affected packages. Endor Labs identified more than 160 compromised npm packages, Aikido recorded 373 malicious package-version entries, and Socket observed 416 malicious artifacts spanning npm, PyPI, and Composer ecosystems.
Supply-chain security platform SafeDep noted that although the initial infection vectors differed between TanStack and Mistral AI compromises, both ultimately delivered the same credential-stealing payload.