—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

‘Mini Shai-Hulud’ Supply Chain Attack Campaign Targeting Open-Source

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: Critical

Overview

It has been observed that an active software supply chain attack campaign, publicly referred to as ‘Mini Shai-Hulud’, is targeting npm and PyPI package registries, with broader impact across enterprise CI/CD environments and open-source software ecosystems. This campaign, observed across multiple discrete waves is compromising software packages, build and release pipelines, automated publishing workflows, and cloud-native development infrastructures leveraged in modern application delivery.

Threat actors have reportedly compromised several hundred packages across npm and PyPI, resulting in the publication of a significantly larger number of malicious versions. The compromises have been carried out through a combination of compromised maintainer accounts, hijacked CI/CD pipeline tokens, and abuse of trusted publishing workflows.

Notable Affected Ecosystems / Packages

The affected packages, with specific malicious versions reported within each, include:

TanStack packages (@tanstack namespace)

SAP CAP / MTA npm packages

AntV ecosystem packages (@antv namespace)

UiPath packages (@uipath namespace)

Mistral AI packages (@mistralai namespace)

OpenSearch packages (@opensearch-project namespace)

Guardrails AI packages

Squawk packages

Other widely-used packages including echarts-for-react, timeago.js, size-sensor, canvas-nest.js, jest-canvas-mock

Note: The set of affected packages and versions is expanding. Organizations are advised to refer to advisories published by the relevant registry operators, the GitHub Advisory Database and other official channels for the most current information.

Description

Analysis from multiple security researchers indicates that the attackers are leveraging compromised npm maintainer accounts, GitHub Actions workflow abuse, and CI/CD pipeline compromise to distribute malicious packages. The campaign uses malicious preinstall hooks, obfuscated Bun/JavaScript payloads, credential harvesting mechanisms, and worm-like propagation capabilities to spread across development and enterprise environments.

Initial access has been observed through:

hijacking of GitHub Actions OIDC tokens via the ‘pull_request_target’ trigger in combination with Actions cache poisoning, followed by exchange with npm trusted publishing workflows for valid publish credentials;

compromise of npm maintainer accounts; and

targeting of long-dormant packages with weaker security controls but continued transitive usage.

The malware is designed to harvest sensitive credentials, including GitHub Personal Access Tokens (PATs), npm authentication tokens, cloud credentials (AWS/Azure/GCP), SSH keys, Kubernetes service account tokens, Vault secrets, database credentials, and CI/CD environment variables. It may also attempt to access cloud metadata services, extract secrets from CI/CD runner environments, and exfiltrate collected data to attacker-controlled infrastructure, while enabling further propagation by validating stolen npm tokens, enumerating accessible packages, injecting malicious payloads, and republishing under compromised maintainer identities.

Persistence mechanisms have been observed on development environments through modification of local tooling configurations (e.g., editor task hooks), potentially allowing execution across sessions.

Malicious packages have also been observed abusing trusted build and provenance mechanisms to appear legitimate, complicating detection and trust validation efforts.

Indicators of Compromise

The following Indicators of Compromise (IoCs) are associated with this campaign:

Malicious files and artefacts:

router_init.js

router_runtime.js

tanstack_runner.js

index.js (root-level, ~498 KB obfuscated Bun bundle)

setup.mjs

transformers.pyz (also observed at /tmp/transformers.pyz)

pgmonitor.py

pgsql-monitor.service gh-token-monitor.sh

kitty-monitor (Installed as a systemd user service on Linux or LaunchAgent on macOS)

cat.py (Often located in ~/.local/share/kitty/)

Injections into .claude/settings.json (SessionStart hook executing node

.claude/setup.mjs) and .vscode/tasks.json (task with ‘runOn’: ‘folderOpen’).

Suspicious preinstall / postinstall / prepare script execution during npm install

Network indicators:

filev2.getsession[.]org

git-tanstack[.]com

t.m-kosche[.]com

api.masscan[.]cloud

83[.]142[.]209[.]194

Suspicious access attempts to cloud metadata endpoints: 169[.]254[.]169[.]254 (AWS/Azure/GCP IMDS) and 169[.]254[.]170[.]2 (ECS task metadata)

File hashes (SHA-256):

ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c (router_init.js, @tanstack)

2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96 (tanstack_runner.js)

GitHub repository markers:

Repositories suddenly created under organisation identities with the description ‘A

Mini Shai-Hulud has Appeared’ or the reversed marker ‘niagA oG eW ereH :duluH-iahS’

Unauthorized dead-drop commits authored by the alias: claude@users.noreply.github.com

Anomalous branch creation or pushes mimicking dependabot (e.g., dependabout/github_actions/format/setup-formatter)

package.json modifications containing the malicious optional dependency pointer:

‘@tanstack/setup’: ‘github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c’

Successful exploitation may allow attackers to steal developer and cloud credentials, compromise CI/CD pipelines, publish additional malicious packages, gain unauthorized access to enterprise repositories, establish persistence in developer environments, compromise downstream software supply chains, and exfiltrate sensitive organizational data. Organizations using automated dependency updates or unrestricted package version ranges may face increased exposure to such attacks.

Recommendations

Review all npm, PyPI, Composer/Packagist, and related dependencies for suspicious or unauthorized package versions.

If an affected package version is identified, promptly isolate the host from the network and ensure relevant system artifacts are preserved to support incident investigation, prior to proceeding with further remediation.

Identify and disable local persistence mechanisms (e.g., systemd services or LaunchAgents) PRIOR to revoking any tokens. Revoking tokens while the malware’s monitoring daemon is active may trigger retaliatory destructive actions on the compromised host.

Rotate all developer credentials and tokens, including npm/PyPI publish tokens, GitHub PATs and Actions secrets, AWS/Azure/GCP credentials, HashiCorp Vault and Kubernetes service-account tokens, SSH keys, and other CI/CD secrets.

Enforce Multi-Factor Authentication (MFA) across GitHub, npm, PyPI, cloud, and CI/CD environments.

Audit GitHub Actions workflows for insecure configurations, excessive permissions, and untrusted third-party actions.

Restrict unnecessary preinstall, postinstall, and prepare lifecycle scripts in development and CI/CD environments.

Monitor systems and network traffic for known indicators of compromise associated with the campaign.

Inspect repositories for unauthorized workflow changes, suspicious commits, malicious releases, or unexpected package publishing activity.

Validate package provenance, maintainers, and software attestations before approving dependency updates.

Implement least-privilege access controls and dependency pinning to reduce supply chain risk.

Continuously monitor software supply chain activity using SBOM and dependency monitoring solutions.

Conduct threat hunting for credential theft, malicious workflows, and unauthorized publishing activity.

Note: ‘Mini Shai-Hulud’ is considered an evolved variant of the earlier ‘Shai-Hulud’ campaign, expanding beyond the npm ecosystem to target multiple package ecosystems and enterprise CI/CD environments. For CERT-In advisory related to ‘ShaiHulud’ campaign, you may refer CIAD-2025-0034

References

 

https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem

https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised

https://www.sophos.com/en-us/blog/-mini-shai-hulud-supply-chain-attack-targets-sap-npm-packages

https://www.endorlabs.com/learn/shai-hulud-compromises-the-tanstack-ecosystem-80-packages-compromised

https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack

https://snyk.io/blog/tanstack-npm-packages-compromised

https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/

https://socket.dev/blog/antv-packages-compromised

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoPIncACgkQ3jCgcSdc

ys9B9A/+Nj9GDRLUQLlQITES+LrG4T9Xt0qJ/RenqZPNUALkMsjZQiTsPFUpcn3/

5LOQ88SRWapMv4037EAUgmjVw5PQs6dVswFE6ebMlLfVgO3yKSGJyHVvBAgtWLKj

91XMQSmVtcnFXrRAkLBoiZHQcucAVpbzVcyFn4Clpc2HYH3LnCoWSC3awUHpu7wD

FpbnFh+biA01XQG/cRLk9Fth3o06goQlvrrcF76qLVngyJC3Gk4a/Y6FCmf73Ax+

DBKi29od7EEGZQC/R5wIAX4RWFgUJtnOOkEqWfrVUpusSro5H7SSdZOt7SIq9LZO

3mk2sL0P0Enl2jJ6CocnT64wxQg2W2S9sOjFSP9C00Hz2PstyOl2XkJoagFu+otp

Zwo9RnzNiGrNmDXzuDCoIuI/VQrvpQMV3jd1q4M+YNuz0VsRx4Hrtok2wO7SV1wU

6plX/Q1yJEw8+or4SZmRdZK7ajhyvRD4Fw8JxbZGpzeUtwqvzBPhU027JsE9K0Mh

z7wQnCiB7mj0sQHbGsCTXKTGEJGzf3tdP9TJrkB0Rm9MTkrTZEFKit3cyz9vTSli

qKMjVN1p4RWO69pjBRFTK1KP1uILpzAyx8vVdu+yIzJDa2MplLNGaJ6aPKu5vyLc

5xMvcz0L+T8FdZT5qOX0lCCWHtFPFRo07H8zcQXAB8wgHIwpr0I=

=oIsx

—–END PGP SIGNATURE—–