TeamPCP — the threat actor behind a recent string of high-profile supply chain attacks — has launched a fresh wave of package compromises under a campaign dubbed Mini Shai-Hulud, targeting npm and PyPI packages from some of the most widely used open-source and AI tooling ecosystems.
The campaign has been linked to the compromise of packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI, with the modified packages delivering credential-stealing payloads designed to exfiltrate secrets from developer environments and CI/CD pipelines.
What Is Mini Shai-Hulud?
The Mini Shai-Hulud campaign name — a reference to the massive sandworms from Frank Herbert's Dune — follows TeamPCP's earlier Shai-Hulud and Mini Shai-Hulud attacks against SAP packages, PyTorch Lightning, and Intercom clients. The campaign is characterized by:
- Package tampering — Legitimate npm and PyPI packages are modified to include malicious credential-harvesting code before republication
- Self-spreading worm behavior — Compromised packages are designed to propagate infections to related packages and toolchains
- CI/CD targeting — Payloads specifically target build environments to exfiltrate secrets, tokens, and API keys stored in pipeline configuration
- Multi-registry attack surface — Simultaneous targeting of both npm (JavaScript) and PyPI (Python) registries maximizes reach
Affected Packages
| Package | Registry | Organization |
|---|---|---|
| TanStack packages | npm | TanStack |
| UiPath automation libraries | PyPI/npm | UiPath |
| Mistral AI SDK packages | PyPI/npm | Mistral AI |
| OpenSearch client libraries | PyPI/npm | OpenSearch Project |
| Guardrails AI packages | PyPI | Guardrails AI |
The affected npm packages have been modified to include malicious payloads that execute during installation or build processes.
Credential Theft Mechanism
The Mini Shai-Hulud payloads are engineered to:
1. Execute silently during npm install / pip install
2. Enumerate environment variables for secrets and tokens
3. Target CI/CD-specific variables (GitHub Actions, GitLab CI, Jenkins)
4. Exfiltrate credentials to TeamPCP-controlled infrastructure
5. Attempt to spread to other packages in the project dependency treeThe worm component attempts to compromise additional packages by abusing stolen maintainer tokens — a technique that can amplify the blast radius well beyond the initially compromised packages.
TeamPCP: Prolific Supply Chain Attacker
TeamPCP has emerged as one of the most active supply chain threat actors in 2026, responsible for a string of high-profile incidents:
- Trivy GitHub Actions breach — Hijacked 75+ container image tags to steal CI/CD secrets
- Bitwarden CLI compromise — Part of a broader Checkmarx supply chain campaign
- SAP npm package attack — The original Mini Shai-Hulud wave targeting SAP-adjacent packages
- PyTorch Lightning and Intercom client — Credential theft via tampered packages
- Checkmarx Jenkins AST Plugin — Compromise of a widely used security scanning tool
Impact Assessment
The reach of this campaign is significant. TanStack packages (including TanStack Query, TanStack Table, and TanStack Router) are used by hundreds of thousands of JavaScript projects. Mistral AI's Python SDK is widely used in AI application development. Guardrails AI is embedded in LLM safety and validation pipelines across enterprise deployments.
Any organization that installed or updated these packages during the compromise window should:
- Audit CI/CD secrets — Rotate all tokens, API keys, and credentials that may have been exposed in build environments
- Check package hashes — Verify installed versions against known-good checksums from before the compromise
- Review pipeline logs — Look for unexpected network connections during build processes
- Enable dependency pinning — Lock package versions and use checksums to prevent silent updates
- Monitor for lateral movement — Check for unauthorized access attempts using any exposed credentials
Defensive Measures
The Mini Shai-Hulud campaign underscores the growing threat to open-source supply chains. Security teams should implement:
- Software Composition Analysis (SCA) with real-time malicious package detection
- Network egress filtering in CI/CD environments to detect data exfiltration attempts
- Secrets scanning in pipelines and repositories
- Package manager security policies (npm audit, pip audit, verified publishers)
- Build isolation — Run builds in ephemeral, network-restricted environments where possible
Key Takeaway: TeamPCP's Mini Shai-Hulud campaign demonstrates that supply chain attackers are now systematically targeting AI tooling and developer infrastructure ecosystems — not just individual packages. Any organization using npm or PyPI packages from the affected projects should treat this as an active incident until credentials have been rotated.