170 Packages. 518 Million Downloads. One Worm.

Table of contents

What Happened

On May 11, 2026, a self-propagating worm called Mini Shai-Hulud ripped through the npm and PyPI ecosystems in under six minutes. 404 malicious package versions published across 170+ packages. 518 million cumulative downloads affected. TanStack, Mistral AI, UiPath, Guardrails AI, and OpenSearch all compromised in a single coordinated attack.

One week later, on May 18, the Nx Console VS Code extension (2.2 million installs) was hijacked and published to the VS Code Marketplace with a credential-stealing payload that targeted GitHub, npm, AWS, Kubernetes, and even Claude Code configuration files.

This is the full teardown of both incidents, followed by a step-by-step guide to check if you are affected and what to do about it.

The Worm: Mini Shai-Hulud

Mini Shai-Hulud is not a typical supply chain attack. It is a worm. It propagates itself.

The attack was carried out by a threat actor group called TeamPCP. Their method: hijack GitHub Actions OIDC tokens, use them to forge valid npm publish tokens, then publish poisoned versions of every package the compromised account has write access to. Each poisoned package repeats the cycle, stealing tokens from the next victim's CI/CD pipeline and spreading further.

The name comes from the Dune universe. A sandworm that consumes everything in its path. The metaphor is unfortunately accurate.

The TanStack Compromise

Between 19:20 and 19:26 UTC on May 11, the attacker published 84 malicious versions across 42 @tanstack/* packages. Six minutes. That includes @tanstack/react-router, one of the most widely used routing libraries in the React ecosystem with approximately 12 million weekly downloads.

The malicious versions contained an obfuscated payload that executed during installation. No user interaction required. Run npm install and the payload fires.

What the Payload Stole

The credential stealer targeted everything a developer or CI/CD pipeline would have access to:

  • GitHub Personal Access Tokens
  • npm authentication tokens
  • AWS IAM keys and session tokens
  • Azure and Google Cloud credentials
  • HashiCorp Vault tokens
  • Kubernetes service account tokens and secrets
  • SSH keys
  • Environment variables containing secrets

The payload compressed and encrypted everything before exfiltrating it to attacker-controlled infrastructure. It also injected persistence hooks into Claude Code and VS Code configuration directories so it would survive package uninstallation and system reboots.

The Full Blast Radius

The affected packages span both ecosystems:

npm: @tanstack/* (83 entries across router, start, devtools, and adapter packages), @uipath/* (66 entries), @squawk/* (87 entries), @mistralai/, @tallyui/, @beproduct/*, intercom-client, opensearch-project/opensearch, and dozens more.

PyPI: guardrails-ai 0.10.1, mistralai 2.4.6.

In total, 404 malicious versions across 170+ packages. The NHS England Digital Cyber Alert team issued advisory CC-4781 for the incident. Snyk, Socket, Wiz, Orca Security, and StepSecurity all published independent analyses confirming the scope.

The Nx Console Hijack

One week after Mini Shai-Hulud, a different but related attack hit the VS Code Marketplace directly.

On May 18, a compromised version of Nx Console (nrwl.angular-console v18.95.0) was published. The extension has over 2.2 million installations. The malicious version was live for approximately 11 minutes before the Nx team pulled it.

Eleven minutes. That is all it took.

How It Worked

The attacker gained access through a contributor's GitHub personal access token that was scraped during a separate, earlier supply chain incident. That token had push access to the nrwl/nx repository and, through it, access to the VS Code Marketplace publishing credentials.

The compromised extension fetched and executed a 498 KB obfuscated payload hidden inside an orphan commit in the official nrwl/nx GitHub repository. Within seconds of a developer opening any workspace, the payload activated.

What It Stole

The Nx Console payload was a multi-stage credential stealer and supply chain poisoning tool:

  • Harvested tokens from GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password
  • Exfiltrated data over three independent channels: HTTPS, the GitHub API, and DNS tunneling
  • Installed a persistent Python backdoor on macOS using the GitHub Search API as a dead-drop for receiving commands signed with a 4096-bit RSA key
  • Specifically targeted Claude Code configuration files (~/.claude/settings.json)

That last point is significant. This may be one of the first supply chain payloads specifically designed to harvest AI coding assistant credentials and configurations. Your AI tools are now part of the attack surface.

The Docker Hub Campaign

Between April 21 and 23, a third campaign hit Docker Hub. Researchers from GitGuardian documented how malicious Docker images were published containing scripts that harvested cloud credentials and CI/CD secrets during container build and runtime.

Three registries. Three campaigns. All targeting the same thing: developer secrets.

How to Check If You Are Affected

Here is the step-by-step guide. Run through every item even if you think you are clean.

Step 1: Check Your Lockfiles

Search your package-lock.json, yarn.lock, or pnpm-lock.yaml for any of the affected package versions.

For npm:

npm ls @tanstack/react-router @tanstack/react-query @mistralai/mistralai intercom-client

For yarn:

yarn why @tanstack/react-router

Compare installed versions against the known malicious version ranges published between May 11-12, 2026. If any match, assume compromise.

For PyPI:

pip show guardrails-ai mistralai

Check for guardrails-ai 0.10.1 and mistralai 2.4.6 specifically.

Step 2: Check for Persistence

The worm installs persistence mechanisms that survive uninstallation.

macOS:

ls -la ~/Library/LaunchAgents/com.user.gh-token-monitor.plist

Linux:

ls -la ~/.config/systemd/user/gh-token-monitor.service

If either file exists, you are compromised. Remove it immediately.

Step 3: Check VS Code and Claude Code Directories

The payload drops files that persist in your editor configuration:

# Check for malicious files in VS Code
find ~/.vscode/extensions -name 'router_runtime.js' -o -name 'setup.mjs' 2>/dev/null

# Check Claude Code config
ls -la ~/.claude/settings.json
cat ~/.claude/settings.json | grep -i 'proxy\|endpoint\|url'

Look for any unexpected proxy settings, custom endpoints, or injected scripts. If your Claude Code settings contain entries you did not add, assume compromise.

Step 4: Check for the Nx Console Backdoor

If you had Nx Console installed and it auto-updated on May 18:

# macOS: check for the persistent backdoor
launchctl list | grep -i nx
find ~/Library/LaunchAgents -name '*nx*' -o -name '*nrwl*' 2>/dev/null

# Check for the orphan commit payload
find ~/.vscode/extensions/nrwl.angular-console-* -name '*.js' -newer ~/.vscode/extensions/nrwl.angular-console-*/package.json 2>/dev/null

Step 5: Check CI/CD Logs

Review your GitHub Actions, GitLab CI, or Jenkins logs for:

  • Unexpected npm publish events between May 11-12
  • OIDC token requests you did not initiate
  • Network connections to git-tanstack[.]com, *.getsession.org, or 83.142.209.194
# Search GitHub Actions logs for suspicious activity
gh run list --limit 50 --json conclusion,createdAt,name | jq '.[] | select(.createdAt > "2026-05-10")'

Step 6: Audit Docker Images

If you pulled Docker images between April 21-23:

# List images pulled in the window
docker images --format '{{.Repository}}:{{.Tag}} {{.CreatedAt}}' | grep '2026-04-2'

# Scan for known malicious layers
docker history <image_name> --no-trunc | grep -i 'curl\|wget\|nc\|/tmp/'

How to Remediate

If any of the checks above returned positive results, do all of the following. Not some. All.

Rotate Everything

# Revoke and regenerate npm tokens
npm token revoke <token_id>
npm token create

# Rotate GitHub PATs
# Go to GitHub > Settings > Developer settings > Personal access tokens
# Revoke all tokens created before May 12 and generate new ones

# AWS credentials
aws iam create-access-key --user-name <your-user>
aws iam delete-access-key --access-key-id <old-key-id> --user-name <your-user>

# Rotate SSH keys
ssh-keygen -t ed25519 -C "[email protected]"
# Update the public key in GitHub, GitLab, and any servers

Also rotate: GCP service account keys, Azure service principals, HashiCorp Vault tokens, Kubernetes service account tokens, 1Password service account tokens, and any CI/CD secrets stored in environment variables.

Block Attacker Infrastructure

Add these to your DNS blocklist, firewall, or proxy:

git-tanstack[.]com
*.getsession.org
83.142.209[.]194

Clean Your Environment

# Remove persistence mechanisms
rm -f ~/Library/LaunchAgents/com.user.gh-token-monitor.plist
rm -f ~/.config/systemd/user/gh-token-monitor.service

# Remove malicious files from editor configs
find ~/.vscode -name 'router_runtime.js' -o -name 'setup.mjs' -delete
find ~/.claude -name 'router_runtime.js' -o -name 'setup.mjs' -delete

# Reinstall clean package versions
rm -rf node_modules package-lock.json
npm install

Update to Clean Versions

Maintainers published clean versions after May 12 for all affected packages. Update your lockfiles:

npm update @tanstack/react-router @tanstack/react-query
pip install --upgrade guardrails-ai mistralai

Enable Package Provenance

If you publish packages, enable npm provenance to cryptographically link packages to their source repository and build:

npm publish --provenance

This makes it significantly harder for attackers to publish malicious versions even with stolen tokens.

Pin GitHub Actions

Stop referencing actions by tag. Pin them by commit SHA:

# Bad: uses: actions/checkout@v4
# Good: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11

Tags can be moved. Commit SHAs cannot.

The Pattern

Three registries hit in 48 hours (April 21-23). A self-propagating worm that compromised 170+ packages in six minutes (May 11). A VS Code extension hijacked and published to the Marketplace (May 18). All of them targeting the same thing: developer credentials.

The attack surface is no longer your production servers. It is your development environment. Your npm tokens. Your CI/CD pipelines. Your VS Code extensions. Your AI coding assistants.

The supply chain is not a metaphor anymore. It is the primary attack vector.

518 million downloads affected. Credentials from GitHub, AWS, GCP, Azure, Kubernetes, Vault, and now Claude Code. Persistence mechanisms that survive uninstallation. A worm that spreads itself through the ecosystem faster than any human can respond.

Check your lockfiles. Check your launch agents. Rotate your tokens. Do it today.