Blockchain security firm SlowMist has issued a critical threat intelligence alert on “Mini Shai-Hulud,” a self-propagating npm worm that has compromised over 169 JavaScript packages — including foundational developer tools from TanStack, UiPath, Mistral AI, and DraftLab — to steal cryptocurrency wallets, cloud credentials, and CI/CD secrets at scale.
The alert, classified as severity “Critical” under identifier SM-2026-561840, was published on May 12 alongside indicators of compromise including malicious IP addresses, domains (git-tanstack[.]com, seed1[.]getsession[.]org), and a list of compromised package artifacts spanning the @tanstack, @uipath, @mistralai, @squawk, and @draftlab namespaces.
The attack is attributed to the threat group TeamPCP, which has been escalating its supply chain operations since September 2025 — previously compromising Aqua Security’s Trivy vulnerability scanner in March 2026 and the Bitwarden CLI npm package in April 2026.
How the Worm Works
Unlike traditional npm malware that relies on typosquatting — publishing similarly named packages to trick developers — Mini Shai-Hulud hijacks the legitimate build pipeline itself. The attack chain, documented in detail by StepSecurity, Socket, Wiz, and Snyk, exploits a three-step vulnerability chain in GitHub Actions.
First, the attacker created a fork of the TanStack/router repository on May 10 using the GitHub account “voicproducoes,” deliberately renaming it to avoid appearing in fork-list searches. They then opened a pull request that triggered a pull_request_target workflow — a GitHub Actions trigger type that runs with base-repository permissions even for fork PRs — and used it to poison the shared GitHub Actions cache with a malicious pnpm dependency store.
When a legitimate maintainer PR was merged the next day, the release workflow restored the poisoned cache. The malicious code then extracted OIDC tokens directly from the GitHub Actions runner’s process memory, and used them to publish malicious versions of the packages through the project’s own release pipeline.
The result: malicious packages published under the real TanStack namespace, from the real build infrastructure, with real cryptographic attestations.
First Npm Worm With Valid SLSA Provenance
In what security researchers are calling an unprecedented escalation, the compromised packages carry valid SLSA Build Level 3 provenance attestations — cryptographic certificates generated by Sigstore that are meant to verify a package was built from a trusted source. This means automated security scanners checking for provenance would have marked the malicious packages as legitimate.
“SLSA provenance only confirms which pipeline built the package — not whether that pipeline was behaving honestly,” Snyk’s analysis noted. The distinction is critical: if the build pipeline itself is compromised, every downstream trust check fails silently.
This is the first documented npm supply chain attack to produce validly attested malicious packages — a landmark failure of the current provenance verification model.
Crypto Wallets: A Primary Target
The worm’s payload — a heavily obfuscated 2.3 MB JavaScript file disguised as router_init.js — runs using the Bun JavaScript runtime specifically to evade Node.js-based security monitoring tools. Once executed, it aggressively harvests sensitive data from over 100 file paths.
Cryptocurrency assets are a primary target. The malware specifically searches for and exfiltrates wallet files and keys for Bitcoin, Ethereum, Monero, Electrum, Exodus, Ledger Live, Atomic Wallet, and others. It also targets browser extension data associated with MetaMask and Phantom. Beyond crypto, the payload harvests AWS, Azure, GCP, and Kubernetes credentials, SSH keys, VPN configurations, npm tokens, GitHub PATs, and even AI tool settings.
The stolen data is encrypted using AES-256-GCM and exfiltrated through three redundant channels: a typosquat domain (git-tanstack[.]com), the decentralized Session messenger network, and GitHub API dead drops — repositories created on the victim’s own account with the description “A Mini Shai-Hulud has Appeared.” The GitHub-native exfiltration is particularly insidious, as it blends with normal developer activity.
The Dead Man’s Switch
The worm includes a destructive failsafe mechanism. On developer machines, the malware installs a persistent daemon (via macOS LaunchAgent or Linux systemd) that polls GitHub every 60 seconds to check if stolen tokens are still valid. If it detects that a token has been revoked — a natural first step in incident response — the daemon triggers a destructive routine that attempts to execute rm -rf ~/, wiping the user’s entire home directory.
Security researchers have warned organizations not to revoke tokens until the infected machine is fully isolated, disconnected from the internet, and its drive has been imaged for forensic analysis — a counterintuitive but critical step.
Scale of the Blast Radius
The attack’s impact is enormous. @tanstack/react-router alone has approximately 12 million weekly downloads. Across all compromised namespaces, more than 25,000 repositories tied to hundreds of developers have been affected. The npm team is actively removing malicious versions, and TanStack maintainer Tanner Linsley has confirmed that the team shut down all publishing pipelines while investigating.
Critically, because many of the compromised packages are transitive dependencies, developers may be running the malicious code even if they never directly installed a TanStack package — simply because one of their other tools depends on it.
Socket detected and flagged the compromised artifacts within six minutes of publication. The attack has been assigned CVE-2026-45321.
Why Crypto Developers Are Especially Vulnerable
SlowMist emphasized that developers working on blockchain, DeFi, or Web3 projects are prime targets because their environments frequently store or interact with private keys, seed phrases, wallet.dat files, and signing credentials. A single compromised CI/CD pipeline can lead to drained wallets, unauthorized transactions, or downstream attacks on smart contracts and deployed infrastructure.
This is not a theoretical risk. In previous Shai-Hulud waves, the Trust Wallet team experienced a compromise linked to stolen credentials from the same worm family. The September 2025 npm supply chain attack — which compromised the Chalk package (2 billion weekly downloads) — injected code that replaced cryptocurrency wallet addresses at execution time, though financial losses were limited to approximately $500 due to a fortuitous crash in the attacker’s code.
The Mini Shai-Hulud campaign is significantly more sophisticated, with the self-propagation mechanism, valid provenance attestation, multi-channel exfiltration, and destructive failsafe representing a generational leap in supply chain attack capability.
Recommendations
SlowMist and multiple security firms urge immediate action for anyone who ran npm install on any @tanstack/, @uipath/, @mistralai/, @squawk/, or @draftlab/* package on or after May 11: treat the install environment as fully compromised. Rotate all credentials — GitHub tokens, npm accounts, cloud keys, SSH keys, and any cryptocurrency wallet seeds or private keys that may have been accessible. Audit CI/CD pipelines for the presence of router_init.js or suspicious preinstall hooks. Monitor for unauthorized GitHub repositories. Do not revoke tokens before isolating and imaging the machine.
For crypto holders, the guidance is blunt: avoid storing wallet files, seed phrases, or private keys on development machines. Use air-gapped or hardware wallets for significant holdings.
Also Read: Axios Supply Chain Attack Deploys Malicious Dependency via npm
