OpenAI, Mistral AI breached as Shai-Hulud malware compromises 172 developer packages

Compromised Mistral AI and TanStack packages may have exposed GitHub, cloud and CI/CD credentials in 'mini Shai Hulud' malware infection -- supply-chain campaign spreads across npm and AI developer ecosystems like wildfire

The malware reportedly refused to run on Russian-language systems but could execute a destructive payload under certain geographic conditions. Microsoft Threat Intelligence said in an X post on Monday that it is investigating a compromise of the mistralai PyPI package after attackers reportedly injected malicious code that automatically executed on import, downloaded a secondary payload disguised as transformers.pyz, and launched malware on Linux systems -- the latest incident researchers believe may be linked to the broader "Mini Shai-Hulud" software supply-chain campaign targeting developer ecosystems. According to Microsoft, the compromised mistralai package version 2.4.6 contained malicious code inserted into mistralai/client/__init__.py that silently downloaded a file from a remote IP address to /tmp/transformers.pyz and executed it in the background whenever the package was imported on Linux machines. The filename appears deliberately chosen to resemble Hugging Face's widely used Transformers AI framework, potentially allowing the malware to blend into machine learning environments and evade suspicion. Microsoft said the second-stage payload functioned primarily as a credential stealer, but also contained country-aware logic and a destructive branch capable of executing rm -rf / under certain geographic conditions. The payload contained logic designed to avoid Russian-language environments, a behavior commonly observed in some cybercriminal malware campaigns, though such checks are not definitive indicators of attribution. The disclosure comes amid a growing wave of software supply-chain compromises affecting both npm and PyPI ecosystems. Earlier Monday, security firm Aikido warned that malicious package versions tied to the popular TanStack JavaScript ecosystem had been compromised in two separate attack waves beginning around 19:20 UTC. Affected packages reportedly included @tanstack/react-router, @tanstack/history, and @tanstack/router-core, components collectively downloaded tens of millions of times per week. Hours later, Aikido said several Mistral npm SDK packages had also been compromised as part of the same ongoing "Mini Shai-Hulud" campaign, including @mistralai/mistralai, @mistralai/mistralai-azure, and @mistralai/mistralai-gcp. The firm warned developers to immediately rotate GitHub tokens, npm credentials, cloud API keys, and CI/CD secrets if affected packages had been installed. Microsoft has not publicly attributed the PyPI compromise to Mini Shai-Hulud. Still, the incidents share several characteristics, including malicious code inserted into trusted packages, staged payload downloads, credential theft, and automatic execution during installation or import. That overlap has raised concerns that attackers are increasingly targeting developer infrastructure itself rather than end users directly. Modern development environments often contain high-value credentials, including GitHub personal access tokens, cloud deployment keys, SSH credentials, npm publishing tokens, and CI/CD system access. A compromised developer workstation or CI runner can therefore provide attackers with a path into much larger software ecosystems, allowing malicious updates to spread through legitimate package distribution channels. The behavior observed in the compromised Mistralai package reflects that escalation risk. According to Microsoft's analysis, the injected code silently used curl to retrieve the secondary payload before launching it as a detached background process designed to continue operating independently of the original Python session. The malware also reportedly suppressed execution errors and limited activity to Linux systems, the dominant operating system across servers, cloud environments, and many AI workloads. Supply-chain attacks have become an increasingly serious concern across the software industry because of the sheer scale at which trusted dependencies are reused. A single compromised package can rapidly propagate into thousands of downstream applications, enterprise environments, and production systems. Major incidents in recent years have included the SolarWinds breach, the event-stream npm compromise, the 3CX supply-chain attack, and the XZ Utils backdoor attempt. The latest wave appears particularly notable for simultaneously targeting AI tooling, cloud SDKs, and widely used frontend development frameworks. Researchers believe the campaign's primary objective is credential theft, potentially allowing attackers to compromise additional packages, maintainer accounts, and publishing infrastructure in a cascading chain of ecosystem infections. Microsoft advised organizations to isolate affected Linux hosts, block outbound connections to the malicious IP address, hunt for indicators including /tmp/transformers.pyz, pgmonitor.py, and pgsql-monitor.service, and rotate any potentially exposed credentials immediately. The compromises are still under investigation, and additional affected packages may emerge as maintainers and security firms continue auditing publishing infrastructure and compromised credentials. Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.

Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages

TeamPCP, the threat actor behind the recent supply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign. The affected npm packages have been modified to include an obfuscated JavaScript file ("router_init.js") that's designed to profile the execution environment and launch a comprehensive credential stealer capable of targeting cloud providers, cryptocurrency wallets, AI tools, messaging apps, and CI systems, including Github Actions, Aikido Security, Endor Labs, SafeDep, Socket, and StepSecurity said. The data is exfiltrated to the "filev2.getsession[.]org" domain. Using Session Protocol infrastructure is a deliberate attempt on the part of the attackers to evade detection, as the domain is unlikely to be blocked within enterprise environments, given that it belongs to a decentralized, privacy-focused messaging service. As a fallback option, the encrypted data is committed to attacker-controlled repositories under the author name "[email protected]" via the GitHub GraphQL API using the stolen GitHub tokens. The malware is also capable of establishing persistence hooks in Claude Code and Microsoft Visual Studio Code (VS Code) to survive reboots and re-execute the stealer on every launch of the IDEs. Furthermore, it installs a gh-token-monitor service to monitor and re-exfiltrate GitHub tokens, and injects two malicious GitHub Actions workflows to serialize repository secrets into a JSON object and upload the data to an external server ("api.masscan[.]cloud"). TanStack has since traced the compromise to a chained GitHub Actions attack involving the "pull_request_target" trigger, GitHub Actions cache poisoning, and runtime memory extraction of an OIDC token from the GitHub Actions runner process. "No npm tokens were stolen, and the npm publish workflow itself was not compromised," TanStack said. Specifically, the attackers are assessed to have staged the malicious payload in a GitHub fork, injected it into published npm tarballs, then hijacked the project's legitimate "TanStack/router" workflow to publish the compromised versions with valid SLSA provenance. What makes the worm stand out is its ability to spread itself to other packages by locating a publishable npm token with bypass_2fa set to true, enumerating every package published by the same maintainer, and exchanging a GitHub OIDC token for a per-package publish token to sidestep traditional authentication entirely. The TanStack supply chain compromise has been assigned the CVE identifier CVE-2026-45321. It carries a CVSS score of 9.6 out of a maximum of 10.0, indicating critical severity. The incident has impacted 42 packages and 84 versions across the TanStack ecosystem. "The attack published malicious versions through the project's own GitHub Actions release pipeline using hijacked OIDC tokens," StepSecurity researcher Ashish Kurmi said. "In an extremely rare escalation, the compromised packages carry valid SLSA Build Level 3 provenance attestations, making this the first documented npm worm that produces validly attested malicious packages. The worm has since spread beyond TanStack to packages from UiPath, DraftLab, and other maintainers." Besides TanStack, the Mini Shai-Hulud campaign has also spread to several other packages, including some in PyPI - * [email protected] (PyPI) * [email protected] (PyPI) * @opensearch-project/[email protected], 3.6.2, 3.7.0, and 3.8.0 * @squawk/[email protected] * @squawk/[email protected] * @squawk/[email protected] * @tallyui/[email protected], 1.0.2, and 1.0.3 * @tallyui/[email protected], 1.0.2, and 1.0.3 Microsoft, in its analysis of the malicious mistralai PyPI package, said it's designed to download a credential stealer from a remote server ("83.142.209[.]194") that includes country-aware logic to avoid Russian-language environments and a "geofenced destructive branch that has a 1-in-6 chance of executing rm -rf / when the system appears to be in Israel or Iran." "The [email protected] compromise is especially notable because the malicious code executes on import," Socket said. "The package checks for Linux systems, downloads a remote Python artifact from https://git-tanstack.com/transformers.pyz, writes it to /tmp/transformers.pyz, and executes it with python3 without integrity verification." "This latest activity shows the campaign continuing to propagate across both npm and PyPI, with affected packages spanning search infrastructure, AI tooling, aviation-related developer packages, enterprise automation, frontend tooling, and CI/CD-adjacent ecosystems."

Shai Hulud attack ships signed malicious TanStack, Mistral npm packages

Hundreds of packages across npm, PyPI, and Composer have been compromised in a new Shai-Hulud supply-chain campaign delivering credential-stealing malware targeting developers. The attacker hijacked valid OpenID Connect (OIDC) tokens to publish malicious package versions with verifiable provenance attestation (SLSA Build Level 3) Attributed to the TeamPCP threat group, the attack started with compromising dozens of TanStack and Mistral AI packages but quickly extended to other popular projects, like Guardrails AI, UiPath, and OpenSearch. The Shai-Hulud campaign emerged last September and had multiple iterations [1, 2, 3], some of them exposing hundreds of thousands of developer secrets in automatically generated GitHub repositories. Among more recently compromised projects are the Bitwarden CLI package and the official SAP packages. The latest attack wave occurred yesterday with the threat actor publishing multiple malicious packages in the TanStack namespaces on the Node Package Manager (npm), and then spreading to other projects using stolen CI/CD credentials. Application security company StepSecurity notes that the threat actor published the infected packages via the legitimate CI/CD pipeline, carrying valid SLSA provenance attestations issued by npm's signing infrastructure and "tied to the legitimate Release workflow." Endor Labs reports over 160 compromised packages on npm, Aikido recorded 373 malicious package-version entries, and Socket tracked 416 compromised package artifacts across npm, the Python Package Index (PyPI), and Composer. According to TanStack's post-mortem report from TanStack, the attackers chained three vulnerabilities: a risky 'pull_request-target' workflow, GitHub Actions cache poisoning, and OIDC token theft from runner memory. The attackers published 84 malicious versions across 42 TanStack packages that had valid provenance, valid Sigstore attestations, and legitimate GitHub Actions signatures. From a developer's perspective, the packages appeared to be cryptographically authentic, and there was no indication of a compromise. Endor Labs highlights a clever Git commit trick in which attackers abused an orphaned commit pushed to a fork of the TanStack/router repository, making it accessible through GitHub's shared fork object storage even though it didn't belong to any branch. The commit was referenced via a malicious optional dependency, causing npm to automatically fetch and execute attacker-controlled code during package installation. The malware targets developer secrets, including: StepSecurity says that the payload reads the GitHub Actions process memory to collect credentials from more than 100 file paths associated with cloud providers, cryptocurrency tokens, and messaging apps. To exfiltrate the sensitive information, the malware used the Session P2P network, making it appear as encrypted messenger traffic and complicating detection, blocking, and takedown efforts. Once an infection occurs, the malware writes itself into Claude Code hooks and VS Code auto-run tasks, so uninstalling the malicious packages does not remove it. The self-propagation mechanism remains largely unchanged from past waves: it uses stolen GitHub/npm credentials, enumerates the packages linked to the compromised maintainer, modifies tarballs to inject the payload, and then republishes malicious versions. According to supply-chain security platform SafeDep, although the trigger mechanism is different in compromised Mistral AI and TanStack packages, they drop the same credential-stealing payload. Lists of compromised packages are available in the reports from various security vendors [1, 2, 3, 4, 5], and it is recommended to check all the resources for a complete view of the impact. Developers who downloaded an affected package version should assume that credentials were exposed. Researchers recommend that security teams take the following action: Snyk researchers say that since the "attack produces valid SLSA Build Level 3 attestations for malicious packages," it is necessary to verify provenance and add a behavioral analysis layer at install time, along with a signature-based check for malicious packages. In the long term, to mitigate the risk from similar attacks, consider enforcing lockfile-only installs, which should prevent auto/silent package updates.

Protect your enterprise now from the Shai-Hulud worm and npm vulnerability in 6 actionable steps

Any development environment that installed or imported one of the 172 compromised npm or PyPI packages published since May 11 should be treated as potentially compromised. On affected developer workstations, the worm harvests credentials from over 100 file paths: AWS keys, SSH private keys, npm tokens, GitHub PATs, HashiCorp Vault tokens, Kubernetes service accounts, Docker configs, shell history, and cryptocurrency wallets. For the first time in a TeamPCP campaign, it targets password managers including 1Password and Bitwarden, according to SecurityWeek. It steals Claude and Kiro AI agent configurations, including MCP server auth tokens for every external service an agent connects to. And it does not leave when the package is removed. The worm installs persistence in Claude Code (.claude/settings.json) and VS Code (.vscode/tasks.json with runOn: folderOpen) that re-execute every project open, plus a system daemon (macOS LaunchAgent / Linux systemd) that survives reboots. These live in the project tree, not in node_modules. Uninstalling the package does not remove them. On CI runners, the worm reads runner process memory directly via /proc/pid/mem to extract secrets, including masked ones, on Linux-based runners. If you revoke tokens before isolating the machine, Wiz's analysis found a destructive daemon wipes your home directory. Between 19:20 and 19:26 UTC on May 11, the Mini Shai-Hulud worm published 84 malicious versions across 42 @tanstack/* npm packages. Within 48 hours the campaign expanded to 172 packages across 403 malicious versions spanning npm and PyPI, according to Mend's tracking. @tanstack/react-router alone receives 12.7 million weekly downloads. CVE-2026-45321, CVSS 9.6. OX Security reported 518 million cumulative downloads affected. Every malicious version carried a valid SLSA Build Level 3 provenance attestation. The provenance was real. The packages were poisoned. "TanStack had the right setup on paper: OIDC trusted publishing, signed provenance, 2FA on every maintainer account. The attack worked anyway," Peyton Kennedy, senior security researcher at Endor Labs, told VentureBeat in an exclusive interview. "What the orphaned commit technique shows is that OIDC scope is the actual control that matters here, not provenance, not 2FA. If your publish pipeline trusts the entire repository rather than a specific workflow on a specific branch, a commit with no parent history and no branch association is enough to get a valid publish token. That's a one-line configuration fix." Three vulnerabilities chained into one provenance-attested worm TanStack's postmortem lays out the kill chain. On May 10, the attacker forked TanStack/router under the name zblgg/configuration, chosen to avoid fork-list searches per Snyk's analysis. A pull request triggered a pull_request_target workflow that checked out fork code and ran a build, giving the attacker code execution on TanStack's runner. The attacker poisoned the GitHub Actions cache. When a legitimate maintainer merged to main, the release workflow restored the poisoned cache. Attacker binaries read /proc/pid/mem, extracted the OIDC token, and POSTed directly to registry.npmjs.org. Tests failed. Publish was skipped. 84 signed packages still reached the registry. "Each vulnerability bridges the trust boundary the others assumed," the postmortem states. Published tradecraft from the March 2025 tj-actions/changed-files compromise, recombined in a new context. The worm crossed from npm into PyPI within hours Microsoft Threat Intelligence confirmed the mistralai PyPI package v2.4.6 executes on import (not on install), downloading a payload disguised as Hugging Face Transformers. npm mitigations (lockfile enforcement, --ignore-scripts) do not cover Python import-time execution. Mistral AI published a security advisory confirming the impact. Compromised npm packages were available between May 11 at 22:45 UTC and May 12 at 01:53 UTC (roughly three hours). The PyPI release mistralai==2.4.6 is quarantined. Mistral stated an affected developer device was involved but no Mistral infrastructure was compromised. SafeDep confirmed Mistral never released v2.4.6; no commits landed May 11 and no tag exists. Wiz documented the full blast radius: 65 UiPath packages, Mistral AI SDKs, OpenSearch, Guardrails AI, 20 Squawk packages. StepSecurity attributes the campaign to TeamPCP, based on toolchain overlap with prior Shai-Hulud waves and the Bitwarden CLI/Trivy compromises. The worm runs under Bun rather than Node.js to evade Node.js security monitoring. The attacker treated AI coding agents as part of the trusted execution environment Socket's technical analysis of the 2.3 MB router_init.js payload identifies ten credential-collection classes running in parallel. The worm writes persistence into .claude/ and .vscode/ directories, hooking Claude Code's SessionStart config and VS Code's folder-open task runner. StepSecurity's deobfuscation confirmed the worm also harvests Claude and Kiro MCP server configurations (~/.claude.json, ~/.claude/mcp.json, ~/.kiro/settings/mcp.json), which store API keys and auth tokens for external services. This is an early but confirmed instance of supply-chain malware treating AI agent configurations as high-value credential targets. The npm token description the worm sets reads: "IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner." It is not a bluff. "What stood out to me about this payload is where it planted itself after running," Kennedy told VentureBeat. "It wrote persistence hooks into Claude Code's SessionStart config and VS Code's folder-open task runner so it would re-execute every time a developer opened a project, even after the npm package was removed. The attacker treated the AI coding agent as part of the trusted execution environment, which it is. These tools read your repo, run shell commands, and have access to the same secrets a developer does. Securing a development environment now means thinking about the agents, not just the packages." CI/CD Trust-Chain Audit Grid Six gaps Mini Shai-Hulud exploited. What your CI/CD does today. The control that closes each one. Sources: TanStack postmortem, StepSecurity, Socket, Snyk, Wiz, Microsoft Threat Intelligence, Mend, Endor Labs. May 12, 2026. Security director action plan * Today: "The fastest check is find . -name 'router_init.js' -size +1M and grep -r '79ac49eedf774dd4b0cfa308722bc463cfe5885c' package-lock.json," Kennedy said. If either returns a hit, isolate and image the machine immediately. Do not revoke tokens until the host is forensically preserved. The worm's destructive daemon triggers on revocation. Once the machine is isolated, rotate credentials in this order: npm tokens first, then GitHub PATs, then cloud keys. Hunt for .claude/settings.json and .vscode/tasks.json persistence artifacts across every project that was open on the affected machine. * This week: Rotate every credential accessible from affected hosts: npm tokens, GitHub PATs, AWS keys, Vault tokens, K8s service accounts, SSH keys. Check your packages for unexpected versions after May 11 with commits by [email protected]. Block filev2.getsession[.]org and git-tanstack[.]com. * This month: Audit every GitHub Actions workflow against the six gaps above. Pin OIDC publishing to specific workflows on protected branches. Isolate cache keys per trust boundary. Set npm config set min-release-age=7d. For AI/ML teams: check guardrails-ai and mistralai against compromised versions, audit CI pipelines for id-token: write exposure, and rotate every LLM API key and vector DB credential accessible from CI. * This quarter (board-level): Fund behavioral analysis at the package registry layer. Provenance verification alone is no longer a sufficient procurement criterion for supply-chain security tooling. Require CI/CD security audits as part of vendor risk assessments for any tool with publish access to your registries. Establish a policy that no workflow with id-token: write runs from a shared cache. Treat AI coding agent configurations (.claude/, .kiro/, .vscode/) as credential stores subject to the same access controls as cloud key vaults. The worm is iterating. Defenders must, as well This is the fifth Shai-Hulud wave in eight months. Four SAP packages became 84 TanStack packages in two weeks. [email protected] fell 29 hours later, confirming active propagation through stolen CI/CD infrastructure. Late on May 12, malware research collective vx-underground reported that the fully weaponized Shai-Hulud worm code has been open-sourced. If confirmed, this means the attack is no longer limited to TeamPCP. Any threat actor can now deploy the same cache-poisoning, OIDC-extraction, and provenance-attested publishing chain against any npm or PyPI package with a misconfigured CI/CD pipeline. "We've been tracking this campaign family since September 2025," Kennedy said. "Each wave has picked a higher-download target and introduced a more technically interesting access vector. The orphaned commit technique here is genuinely novel. Branch protection rules don't apply to commits that aren't on any branch. The supply chain security space has spent a lot of energy on provenance and trusted publishing over the last two years. This attack walked straight through both of those controls because the gap wasn't in the signing. It was in the scope." Provenance tells you where a package was built. It does not tell you whether the build was authorized. That is the gap this audit is designed to close.

OpenAI Confirms Security Breach Linked to AI Malware Campaign - Decrypt

The disclosure follows earlier reports involving Microsoft and Mistral AI tied to the same broader malware campaign. OpenAI confirmed this week that hackers tied to the Shai-Hulud malware campaign breached parts of its internal development environment through a compromised open-source software package. The incident follows similar disclosures from Mistral AI as hackers increasingly target software tools used to build AI models and applications. In a blog post on Wednesday, OpenAI said hackers compromised TanStack npm, a software tool developers use to download and manage coding packages. The company said malware infected two employee devices, and gave attackers access to a small number of internal code storage systems before OpenAI stopped the activity. "We observed activity consistent with the malware's publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two impacted employees had access," OpenAI wrote. The company said it found no evidence that customer data, production systems, or intellectual property were compromised. OpenAI said the impacted repositories included code-signing certificates used for products on macOS, Windows, and iOS. Those certificates help operating systems verify that software actually comes from a trusted company and has not been altered. "As a result, we are rotating code-signing certificates as a precaution, which will require macOS users to update their applications," the company said. "Users do not need to take any action for Windows and iOS apps. Additional guidance will be provided to macOS users regarding these required updates." OpenAI said macOS users must update OpenAI apps before June 12. Older versions signed with the previous certificates may stop functioning after that date. OpenAI did not immediately respond to a request for comment by Decrypt. The disclosure follows reports earlier this week involving Microsoft and French AI startup Mistral AI tied to the same broader malware campaign. On Monday, Microsoft Threat Intelligence said attackers inserted malicious code into a Mistral AI software package distributed through PyPI, a platform developers use to download Python software tools. According to Microsoft, the malware downloaded another malicious file designed to resemble Hugging Face's popular Transformers library, so it would blend into AI development environments. OpenAI said the attacks highlight growing risks across the tech industry. "This incident reflects a broader shift in the threat landscape: Attackers are increasingly targeting shared software dependencies and development tooling rather than any single company," they wrote.