TeamPCP’s Mini Shai-Hulud Campaign Breaches TanStack npm

The new wave of Mini Shai-Hulud campaign unearthed in the wild is proof that software supply chain poisoning is quickly becoming the repeat hit of 2026. 

On May 11 2026, there were rumblings of a coordinated supply chain attack targeting the npm (node package manager) and PyPi (Python package index) ecosystems. 

The threat actor behind it was found to be TeamPCP – a financially motivated threat cluster responsible for the recent Trivy supply chain attack and Checkmarx KICS incident. 

The group published malicious packages on the repository that would trigger a credential stealer payload, when developers downloaded legitimate software packages, thereby casting a wider net over the internet.

The TanStack attack chain

“The Wiz research team has been responding overnight to the latest in the many waves of TeamPCP activity: ‘Mini Shai-Hulud - TanStack’,” Rami McCarthy, Principal Security Researcher at Wiz, writes on LinkedIn. 

“Attackers were able to exploit a GitHub actions vulnerability to publish malicious versions of popular TanStack npm packages. From there, we've seen additional attacks and community spread across @opensearch-project/opensearch, @uipath/, @mistralai/, guardrails-ai and other packages across both npm and PyPI.”

Rami along with Amitai Cohen, Attack Vector Intel Lead at Wiz, and Benjamin Read, Director of Strategic Threat Intelligence at Wiz, broke down the incident in a company blog. 

According to Wiz, the breach was the result of three vulnerabilities in the GitHub Actions, which started with the attacker creating a fork of TanStack repository, which was later renamed to evade fork-list searches. 

A pull request was then triggered, which executed the attacker’s fork code. This “poisoned the GitHub Actions cache with a malicious pnpm store”.

Later, when legitimate pull requests were merged with the main, the release process unintentionally brought back the poisoned cache. 

From there, attacker-controlled code was able to pull OpenID Connect tokens straight from the GitHub Actions runner’s memory. Those tokens were then used to publish malicious package versions, without the attacker ever needing to steal npm login credentials.

Credential stealer and self propagating worm 

The malicious packages carried two potential infection vectors – an entry pointing to a malicious commit which executes a payload and a 2.3MB hidden file router_init.js. 

The payload is a potent credential stealer and self-propagating worm that targets a vast range of tokens – CI/CD tokens, cloud credentials, Kubernetes service accounts, HashiCorp Vault and package registry tokens.

These stolen npm tokens are then used to publish additional malicious packages, which the victim has write access to. This enables it to spread through the npm ecosystem as a worm. 

“As with previous Mini Shai-Hulud variants, the malware checks if the system is configured for the Russian language and terminates without exfiltrating data if so,” Wiz notes. 

Downstream impact on OpenAI

OpenAI was one among many firms that were affected by this breach.

The AI giant confirmed that two employees in its corporate environment were impacted by this attack. 

“Upon identification of the malicious activity, we worked quickly to investigate, contain and take steps to protect our systems,” OpenAI said. 

The company says that it observed activity that is consistent with the malware’s behaviour in a limited subset of internal code repos. 

OpenAI says: “We acted immediately to contain the activity. We isolated impacted systems and identities, revoked user sessions, rotated all credentials across impacted repositories, temporarily restricted code-deployment workflows and thoroughly scrutinised user and credential behaviour.

“As part of our investigation, we have not observed evidence of impact to customer data, or our intellectual property and our analysis has not identified misuse of impacted credentials or follow-on access by the threat actor.”

The company also warned all mac users to update all OpenAI apps to the latest versions, including ChatGPT Desktop, Codex App, Codex CLI and Atlas. 

TanStack has now confirmed that: “After a three-day full security sweep and hardening pass, we're issuing an official all-clear on TanStack repo and package security.”