The Short Version

In May 2026, a self-replicating worm called Shai-Hulud compromised TanStack — one of the most widely used React utility libraries — along with Mistral AI, Guardrails AI, OpenSearch, and dozens of other packages. The attack was sophisticated enough to generate valid supply chain attestations (SLSA Level 3) using stolen tokens, making the infected packages appear legitimately signed. OpenAI was forced to revoke all developer macOS certificates after two employee devices were compromised.

This is not a one-off incident. It is the beginning of a new category of threat: worm-class supply chain attacks that compound on themselves, using each victim's credentials to compromise the next target automatically.

Background: What Is Shai-Hulud?

Shai-Hulud is named after the giant sandworms from Dune — fitting for a worm that burrows through the npm ecosystem. It was built and operated by TeamPCP, a financially motivated threat actor active since at least September 2025.

The core innovation is self-propagation. Most supply chain attacks are one-shot: compromise a maintainer account, publish a malicious version, wait for installs. Shai-Hulud is different. It:

  1. Compromises a maintainer's machine or CI/CD pipeline
  2. Steals their npm publish token
  3. Automatically enumerates every package that token has access to
  4. Injects a payload into each package, bumps the version, republishes
  5. When those infected packages install on a developer's machine, the process starts again

Each victim becomes an attack vector against their entire package graph. The worm compounds.

The TanStack Incident: Timeline

September 2025 — TeamPCP begins initial Shai-Hulud campaigns targeting npm, PyPI, and Composer ecosystems. Early targets are smaller libraries with limited security monitoring.

May 12, 2026 — TeamPCP publicly releases the full Shai-Hulud source code on GitHub and announces a supply chain attack contest on BreachForums with a $1,000 Monero bounty. Within hours, copycat variants begin appearing. This date marks the transition from a targeted campaign to an open-source attack framework.

May 12, 2026 — The Mini Shai-Hulud wave hits. Using the original codebase, attackers compromise:

  • TanStack (42 packages, 84 versions) — CVE-2026-45321 (CVSS 9.6)
  • Mistral AImistralai@2.4.6 on both npm and PyPI
  • Guardrails AIguardrails-ai@0.10.1 on PyPI
  • OpenSearch@opensearch-project/opensearch v3.5.3 through v3.8.0
  • UiPath, DraftLab, SAP packages

May 15, 2026 — OpenAI discloses that two employee devices were compromised via the TanStack package. They revoke all macOS developer certificates. New certificates required by June 12, 2026.

May 18, 2026 — Four copycat packages appear using the leaked source code with modified C2 infrastructure: chalk-tempalte, @deadcode09284814/axios-util, axois-utils, color-style-utils. These variants carry a DDoS botnet payload (Phantom Bot) in addition to credential theft. Combined downloads: ~2,678.

May 19, 2026 — The AntV mega-wave. In a 22-minute burst between 01:56 and 02:58 UTC, attackers publish 639 malicious versions across 323 packages via a compromised atool maintainer account. Affected packages include echarts-for-react (1.1M weekly downloads), the entire @antv/* suite, timeago.js, size-sensor, and jest-canvas-mock — collectively touching over 10 million monthly downloads.

How the Attack Works: Technical Breakdown

Initial Compromise

Attackers gain initial access through three primary vectors:

Stolen npm tokens — Particularly tokens scoped with bypass_2fa=true, which circumvent two-factor authentication on publish operations. These tokens are harvested from developer machines, .npmrc files, CI/CD environment variables, and GitHub Actions secrets.

OIDC token hijacking — Modern CI/CD pipelines use OpenID Connect tokens for keyless authentication. Shai-Hulud abuses these short-lived tokens by extracting them from the CI runner environment during a build, then using them to publish packages before the token expires.

Compromised maintainer accounts — The AntV wave used credentials for the atool account, which had publishing rights across the entire @antv ecosystem. One compromised account gave the attacker access to 323 packages simultaneously.

The Self-Replication Loop

Once installed on a developer machine, the malware executes via a preinstall hook or root-level index.js. The execution flow: 

1. Harvest npm token from ~/.npmrc, env vars, or keychain

  1. Validate token via npm registry API (GET /whoami)
  2. List all packages the token can publish (GET /packages?maintainer=X)
  3. For each package:



a. Download latest tarball
b. Inject payload into preinstall or index.js
c. Bump patch version (1.2.3 → 1.2.4)
d. Publish via npm CLI using stolen token



  1. Exfiltrate all harvested credentials
  2. Move to next victim

The AntV wave executed this loop across 323 packages in 22 minutes — roughly 4 seconds per package.

Trust Abuse: Bypassing Supply Chain Verification

This is the most technically sophisticated element. Shai-Hulud abuses the Sigstore/SLSA provenance system that was introduced to protect against exactly this kind of attack.

The attack works because OIDC tokens from compromised CI/CD environments are still valid from Sigstore's perspective. The worm:

  1. Captures the OIDC token from the CI runner mid-build
  2. Uses it to request a Sigstore Fulcio certificate
  3. Generates a valid SLSA Build Level 3 attestation for the malicious package
  4. The infected package now carries legitimate-looking provenance that passes npm audit signatures

The provenance is technically valid. The source repository and workflow are correct. Only the package contents have been tampered with — and the attestation doesn't verify contents, only that they came from a specific workflow run.

Payload: What It Steals

The credential harvesting covers 20+ secret types:

  • Source control: GitHub tokens (including fine-grained PATs), GitLab tokens, Bitbucket credentials
  • Cloud providers: AWS access keys across all 19 availability zones including GovCloud, GCP service account keys, Azure credentials
  • Infrastructure: SSH private keys, Kubernetes service account tokens, HashiCorp Vault tokens, Docker registry credentials
  • Development: npm tokens, PyPI tokens, Stripe API keys, database connection strings
  • Environment: All .env files, shell history, dotfiles
  • Crypto: Cryptocurrency wallet files and keys

Exfiltration is 3-tier redundant:

  1. Primary: Session P2P network (filev2.getsession.org) — end-to-end encrypted, indistinguishable from legitimate Session messenger traffic on TCP/443
  2. Fallback: GitHub API dead drops — public repositories created under the victim's account containing encrypted credential dumps. Marker string: ShaI-HuluD HeRe We Go AgiaN (a reversal of niagA oG eW ereH :duluH-iahS visible in repository names)
  3. Tertiary: Direct C2 servers: t.m-kosche.com:443, 83.142.209.194

All data is serialized, gzip-compressed, AES-256-GCM encrypted, and RSA-OAEP wrapped before exfiltration.

Persistence and Destructive Payloads

Beyond credential theft, several variants include:

IDE backdoors — Modifications to VS Code settings and Claude Code configuration files that persist across package removal.

Dead-man's switch — If the npm publish token is revoked (a common incident response step), the malware triggers rm -rf ~/ before terminating.

Geofenced wiper — Some variants include a destructive payload with a 1-in-6 probability trigger on systems with Israeli or Iranian locale settings.

DDoS botnet (Phantom Bot) — The copycat variants include a Golang-based HTTP/TCP/UDP flood botnet that persists via Windows Startup folder and scheduled tasks.

Why TanStack? Why Now?

TanStack is the canonical example of a high-value, low-surveillance target. The libraries (TanStack Query, TanStack Router, TanStack Table) are used by millions of developers but maintained by a small core team. Large enterprises depend on them; the maintainers don't have dedicated security staff monitoring for unusual publish activity.

The timing — immediately after the source code leak — is significant. TeamPCP releasing the source wasn't an accident or a mistake. It was a deliberate move to:

  1. Maximize impact via copycat campaigns before defenders had time to respond
  2. Complicate attribution — with dozens of actors using the same codebase, it becomes harder to track TeamPCP specifically
  3. Recruit affiliates via the BreachForums contest, creating a de facto attack-as-a-service offering

What This Means for npm Security

SLSA and Sigstore are not sufficient

The most important lesson is that the supply chain security infrastructure built over the last three years — Sigstore, SLSA provenance, npm audit signatures — does not protect against this attack class. Provenance attestations verify process, not content. If the CI/CD token is compromised, the attacker can generate valid attestations for malicious packages.

This is not a flaw in Sigstore's design. It is a fundamental limitation of any provenance system: provenance proves that something came from a particular build process, not that the build process itself was clean.

Long-lived tokens are the root cause

The majority of successful compromises relied on long-lived npm tokens — some months or years old — stored in developer environments. The npm registry's support for bypass_2fa=true scoped tokens creates a parallel authentication path that bypasses the security controls maintainers think are protecting them.

The attack surface is the developer machine, not the registry

The npm registry's own security controls (2FA, provenance verification, malware scanning) are largely irrelevant once a legitimate token is stolen. The attack surface is wherever developers store and use their tokens: .npmrc files, shell history, CI/CD environment variables, password managers, and IDE configurations.

Remediation: What to Do

Immediate (if you used any affected packages)

1. Identify exposure. Check your package-lock.json or yarn.lock for affected package versions published between September 2025 and May 19, 2026. The AntV and TanStack package lists are available from Socket's security advisory.

2. Assume compromise. Any machine that installed an affected version should be treated as compromised. Do not just remove the package — the credentials were already exfiltrated at install time.

3. Rotate all credentials. In priority order:

  • GitHub tokens and OAuth apps
  • npm publish tokens
  • AWS access keys (all regions)
  • SSH keys registered with any service
  • Database passwords
  • Any secret in a .env file on the affected machine

4. Hunt for GitHub dead drops. Search your GitHub account's repository list for anything created after May 12, 2026 that you didn't create. Delete and revoke access.

5. Clean IDE configurations. Audit VS Code's settings.json and extension list. If you use Claude Code, check ~/.config/claude/ for unexpected additions.

Structural (to reduce future exposure)

Rotate to short-lived tokens. Use OIDC-based publish tokens tied to specific CI/CD pipelines and branches. Never store long-lived npm tokens on developer machines.

Scope tokens tightly. Per-package publish tokens (npm token create --cidr-whitelist=...) limit the blast radius if one token is compromised.

Disable lifecycle scripts in CI. Add ignore-scripts=true to your .npmrc for CI environments. Most packages don't need preinstall scripts to function.

Monitor for anomalous publishes. Subscribe to npm package changelog notifications for your critical dependencies. An unexpected version bump is a signal.

Restrict OIDC token scope. Lock trusted publisher configurations to specific protected branches and specific workflow file paths. workflow<em>dispatch triggers and pull</em>request triggers should never have publish access.

The Bigger Picture

Shai-Hulud is not an anomaly. It is a proof of concept that will be replicated. The combination of:

  • Massive developer tooling dependency graphs
  • Long-lived credentials stored insecurely
  • CI/CD pipelines with broad publishing access
  • Supply chain verification that authenticates process but not content

...creates a structural vulnerability that individual packages cannot protect against. The attack surface is the ecosystem itself.

The Axios incident (covered separately) — where a North Korean actor attributed to UNC1069 backdoored axios v1.14.1, a package with 100M+ weekly downloads — confirms this is an active threat class with nation-state participation, not just financially motivated actors.

For security practitioners: the question is no longer whether your dependencies are compromised. It is whether you would know if they were, and how quickly you could respond.

Sources