A hacking group known as TeamPCP launched a massive coordinated supply chain attack using a self-propagating worm. On 11 May 2026, the group poisoned hundreds of packages across npm and PyPI. This specific wave, dubbed Mini Shai-Hulud, was identified and reported by multiple security firms, including Endor Labs, Wiz, SafeDep, Socket, and StepSecurity.
This attack was incredibly fast, as within just five hours, TeamPCP published over 400 malicious versions across 172 distinct packages, including high-profile targets like TanStack, Mistral AI, OpenSearch, Guardrails AI, and UiPath.
Initial Access and Infiltration
According to SafeDep research, which was among the first firms to detect this burst of malicious publications on the night of May 11, TeamPCP gained unauthorised access to legitimate CI/CD pipelines by hijacking OpenID Connect (OIDC) tokens.
This hijacking allowed them to publish malicious updates that appeared official, complete with valid SLSA provenance attestations that fooled standard security filters.
Reportedly, to install the Mini Shai-Hulud worm, the group used different deployment methods depending on the target. For Mistral AI, they used a preinstall hook to run setup.mjs. This file downloaded a Bun runtime to execute a 2.2MB obfuscated credential-stealer called router_init.js.
Conversely, for targeting TanStack, the group used an optionalDependency pointing to a malicious GitHub commit. As the scripts remained untouched, the infection was difficult to detect during manual code reviews.
“The TanStack ecosystem took the largest hit by package count among well-known projects. The attacker published malicious versions of every router-related package: @tanstack/react-router, @tanstack/vue-router, @tanstack/solid-router, along with their devtools, SSR query plugins, start frameworks, and build tooling. Two versions per package,” SafeDep’s blog post revealed.
This campaign was expanded to hit PyPI on 12 May 2026. The group targeted mistralai (2.4.6) and guardrails-ai (0.10.1) using an __init__.py injection. It was a dropper code that downloaded a malicious file called transformers.pyz from the domain git-tanstack.com.
TeamPCP targeted the entire @uipath scope and all three Mistral AI SDKs on npm and PyPI, compromising dozens of automation and AI tools, including the OpenSearch client and the Guardrails AI framework.
“The attacker published malicious versions across 170 distinct packages in a single coordinated campaign… compromising every package under @tanstack, @uipath, @tallyui, and several others in bulk… This included OpenSearch (1.3M weekly npm downloads) and Guardrails AI on PyPI,” SafeDep noted.
Credential Theft and Self-Propagation
Mini Shai-Hulud targets a wide range of sensitive data, specifically AWS IAM credentials, HashiCorp Vault secrets, and GitHub tokens, and after stealing these, it moves laterally through the victim’s infrastructure to find more targets.
TeamPCP also designed the malware to spread on its own (called self-propagation). It uses stolen tokens to write new, malicious files like .claude/settings.json and .vscode/tasks.json into a victim’s own projects so that any other developer who works on that project might get infected too.
Exfiltration Methods
The malware avoided detection by standard network monitoring using the Session protocol- an onion-routed messenger network. Basically, it didn’t send stolen data to a standard command-and-control (C2) server. It routed encrypted messages via the decentralized Oxen network.
Mistral AI has published two security advisories confirming the compromise of its packages.
“The compromised npm packages were removed by the registry. They were available only between May 11 at 22:45 UTC and May 12 at 01:53 UTC. The compromised PyPi release mistralai==2.4.6 was uploaded around May 12 at 00:05 UTC, and the project is currently quarantined on PyPi. Previous versions are not affected,” the advisory read.
Researchers recommend that developers immediately audit their lockfiles, and any environment containing mistralai 2.4.6 or Guardrails-ai 0.10.1 should be treated as fully compromised, requiring a total rotation of all credentials.
These recent attacks by TeamPCP reveal an escalating pattern as the group has been notoriously active this year, using similar tactics to compromise the Bitwarden CLI password manager on npm.
Just last month, it targeted Aqua Security’s Trivy scanner. That incident was particularly severe, as it led to a massive data breach at the European Commission’s Europa.eu web hub, where over 90GB of sensitive data was exfiltrated.
Experts’ Perspectives
Security professionals warn that this attack represents a critical change in how hackers target the software supply chain. Boris Cipot, Principal Security Engineer at Black Duck, told Hackread.com that the incident is a “clear escalation” because the attacker “hijacked the CI/CD pipeline itself.” Cipot noted, “The industry moved to ‘trust the pipeline,’ and attackers have now targeted exactly that trust anchor.”
Jonathan Stross, SAP Security Analyst at Pathlock, agreed, stating that Mini Shai-Hulud should be seen as an “evolving supply-chain playbook.” Stross highlighted that “the attacker appears to have abused trusted CI/CD publishing paths and short-lived OIDC tokens, resulting in malicious package versions that still carried valid provenance attestations.”
The stealthy nature of the campaign was also noted by Jason Soroko, Senior Fellow at Sectigo. He explained that the attack “represents a severe escalation… because it successfully weaponises trust.” Soroko added that by using the Bun runtime and GitHub dependencies, the hackers “bypass traditional static scanning,” while “publishing these payloads through legitimate continuous integration pipelines” to subvert the mechanisms used to verify software integrity.
