According to monitoring by Beating, a窃密蠕虫 named "Mini Shai-Hulud" (after the sandworm from Dune) is sweeping through frontend and AI backend ecosystems. On May 12 at 3:20–3:26 AM (UTC+8), the attacker group TeamPCP compromised TanStack’s official release pipeline and pushed 84 malicious versions of 42 official packages to npm, including `@tanstack/react-router`, which receives millions of weekly downloads. The worm then spread cross-platform to PyPI, with the latest victims including Amazon’s `@opensearch-project/opensearch` (npm, 1.3 million weekly downloads), Mistral’s official client `mistralai`, and the AI guardrail tool `guardrails-ai` (both on PyPI). The malicious packages appear identical to legitimate releases. The attackers did not steal any long-term credentials; instead, they exploited a vulnerability in GitHub Actions configuration to hijack the official pipeline and obtain legitimate temporary publishing permissions. As a result, the malicious packages received genuine SLSA build provenance signatures—a cryptographic attestation proving “the package was truly built by the official pipeline”—completely bypassing the long-standing developer trust model that “signed = safe.” Worse still, simply uninstalling the malicious packages is insufficient. Reverse analysis by Socket.dev shows that after installation, the worm silently writes itself into execution hooks for Claude Code (`.claude/settings.json`) and VS Code task configurations (`.vscode/tasks.json`). Even if the malicious package is removed, the malware automatically reactivates whenever the developer opens the project directory or invokes the AI assistant. The trigger threshold on Python is even lower: simply importing the compromised package—without calling any functions—silently activates credential theft. TeamPCP left a mocking message on the spoofed distribution domain `git-tanstack[.]com`: “We’ve been stealing credentials online for over two hours now, but I just came by to say hi :^).” The worm continues to self-propagate. Any machine that installed the affected packages during this window should be treated as compromised: immediately rotate all credentials (AWS, GitHub, npm, SSH), thoroughly inspect `.claude/` and `.vscode/` directories, and reinstall from a clean lockfile.
MiniShai-Hulud worm infects TanStack, OpenSearch, and Mistral clients
MarsBitShare
Summary
A security breach involving the MiniShai-Hulud worm has affected TanStack, OpenSearch, and Mistral clients. Attackers exploited GitHub Actions vulnerabilities to deploy 84 malicious package versions between May 12, 3:20 AM and 3:26 AM UTC+8. The worm employs valid SLSA signatures and persists in tools such as VS Code and Claude Code. Developers are urged to rotate credentials and scan project directories. This crypto news underscores ongoing threats within the open-source ecosystem.
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information.
Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.