The Mini Shai-Hulud worm is back. Researchers have identified a fresh wave of infections across the TanStack open source ecosystem — hundreds of npm packages compromised by the self-propagating, credential-stealing malware linked to the TeamPCP threat group. The latest campaign extends a pattern of increasingly aggressive npm supply chain attacks that have targeted developer tooling, AI frameworks, and enterprise software packages throughout 2026.
What Is Mini Shai-Hulud?
Mini Shai-Hulud is a self-spreading npm worm that propagates through the npm package registry by:
- Infecting legitimate packages — modifying package source code to include credential-stealing payloads
- Hijacking maintainer tokens — stealing npm authentication tokens from developer environments to push malicious versions
- Self-propagation — using stolen tokens to infect other packages in the same maintainer's account or organization
- Credential exfiltration — stealing CI/CD secrets, environment variables, and authentication tokens from build environments
The worm was first observed targeting Mistral AI, Guardrails AI, and a cluster of SAP-related packages in earlier 2026 campaigns attributed to TeamPCP.
The TanStack Ecosystem
The latest infections target packages in the TanStack ecosystem — a widely used collection of open source JavaScript/TypeScript libraries including:
- TanStack Query (formerly React Query) — data fetching and state management
- TanStack Table — headless table components
- TanStack Router — type-safe routing
- TanStack Form — form management
- TanStack Virtual — virtual rendering
TanStack libraries are installed millions of times per week and are embedded in production applications across the JavaScript ecosystem. Infections here have the potential to reach a very large number of developer environments and CI/CD pipelines.
How the Infection Spreads
The worm exploits the npm publication workflow to propagate at scale:
Step 1: Initial Access
└── TeamPCP gains access to a maintainer's npm token
(via phishing, malware, or leaked CI/CD secret)
Step 2: Malicious Publish
└── Worm publishes a new, slightly higher version of a legitimate package
containing the credential-stealing payload
Step 3: Payload Execution
└── Developers who run "npm install" or upgrade pull the infected version
Payload executes in the developer's environment or CI pipeline
Step 4: Token Harvesting
└── Payload exfiltrates npm tokens, AWS credentials, GitHub tokens,
and other secrets found in environment variables
Step 5: Self-Propagation
└── Using stolen tokens, worm publishes infected versions to
additional packages in victim maintainer's account
Step 6: Expand
└── Process repeats across the ecosystem
Scope of the Current Campaign
Dark Reading reports hundreds of packages in the TanStack ecosystem have been affected by the latest wave. The scale suggests:
- Multiple maintainer accounts compromised — token theft from several developers, not a single account
- Automated propagation — the worm's self-spreading mechanism operating at machine speed
- Short detection window — infected package versions may be pulled quickly but not before download counts accumulate
npm's security team and the open source community have been notified. TeamPCP's earlier campaigns against the Checkmarx Jenkins AST plugin and SAP packages demonstrated the group's capability and willingness to escalate across ecosystem boundaries.
TeamPCP: Escalating Supply Chain Threat
TeamPCP has become one of the most active supply chain threat actors in 2026. Their campaign history this year includes:
| Campaign | Target | Method | Impact |
|---|---|---|---|
| Mini Shai-Hulud v1 | Mistral AI, Guardrails AI npm packages | Self-propagating worm | Credential theft from AI developer environments |
| Shai-Hulud (SAP) | SAP-related npm packages | Worm + PyPI cross-infection | 1,800+ packages, enterprise CI/CD exposure |
| Checkmarx Jenkins AST | Checkmarx Jenkins plugin | Repository compromise | Injected malicious CI pipeline step |
| KICS Docker Images | Checkmarx KICS | Container image tampering | Malicious images pulled in build pipelines |
| Mini Shai-Hulud v2 | TanStack ecosystem | Worm redeployment | Hundreds of packages, broad developer exposure |
Immediate Actions for Developers
If your projects depend on TanStack packages or any npm package from an affected maintainer:
1. Audit Your npm Lock Files
# Check for recently published package versions that may be infected
npm audit
# Review lock file for unexpected version bumps
git diff package-lock.json
# List all installed TanStack packages and versions
npm list | grep tanstack2. Rotate Any Exposed Secrets
If your CI/CD pipeline ran with potentially infected packages:
# Rotate immediately if you believe your environment was exposed:
# - npm tokens (npm token create, revoke old token)
# - AWS Access Keys / IAM credentials
# - GitHub Personal Access Tokens or Actions secrets
# - Any secret available as an environment variable in your build3. Pin Dependencies to Known-Good Versions
// In package.json — pin to the last known-clean version
{
"dependencies": {
"@tanstack/react-query": "5.x.x" // pin to specific verified version
},
"overrides": {
"@tanstack/react-query": "5.x.x"
}
}4. Review npm Token Scope and Expiry
# List your npm tokens
npm token list
# Remove any tokens that are overly permissive or no longer needed
npm token revoke <token-id>
# Create scoped, read-only tokens for CI where possible
npm token create --read-only5. Enable npm Provenance
npm package provenance links published packages to their source repository and CI workflow, making it harder for attackers to publish malicious versions without detection:
# Check if your packages support provenance
npm view <package-name> dist.integrityDetection Indicators
| Indicator | Description |
|---|---|
| Unexpected npm token usage | New publish events from your token you did not initiate |
| Package version bumps not in your changelog | Minor version increments you did not release |
| Outbound connections from CI to unknown IPs | Exfiltration during build |
| New environment variable reads at install time | Payload harvesting secrets |
| npm audit warnings on TanStack packages | Registry-flagged infected versions |
Ecosystem Response
The npm security team and GitHub (which owns npm) have processes for removing malicious package versions and revoking compromised tokens. However, the time between malicious publication and removal creates a window during which developers who run npm install may pull infected code.
The TanStack maintainers are expected to respond with clean re-releases once the compromised tokens are revoked and the worm's modifications removed from the package source.