Loading...
Loading...
A widespread supply-chain campaign—nicknamed Mini Shai-Hulud—has poisoned hundreds of npm and some PyPI packages, notably across TanStack, Mistral AI and UiPath, by exploiting GitHub Actions weaknesses like pull_request_target, cache poisoning, and OIDC token exposure. Malicious releases ran code at install time to harvest cloud and developer secrets, persist on hosts, and self-propagate. The incident exposes gaps in CI trust models, package vetting, and registry response, prompting calls to pin actions to SHAs, tighten workflow permissions, avoid executing untrusted PR code, rotate secrets, and use artifact digests. Devs and orgs are reassessing reliance on hosted tooling and adopting stricter supply-chain hygiene and self-hosting options.
This incident shows how CI workflows, package registries, and developer machines form a single attack surface for supply-chain worms. Tech teams must reassess trust boundaries, secrets handling, and dependency hygiene to prevent large-scale credential and infrastructure compromise.
Dossier last updated: 2026-05-15 09:24:26
GitHub Actions security guidance emphasizes that Actions are now a critical part of the software supply chain and frequent attack vector. The article provides a practical checklist for engineering and AppSec teams, leading with five priority controls: set GITHUB_TOKEN to read-only by default, pin third-party actions to commit SHAs, avoid pull_request_target for public repos, treat PR titles/branch names/etc. as untrusted input, and use OIDC instead of long-lived secrets. It then details controls to lock down org and repo defaults, make workflow permissions explicit, and avoid dangerous triggers and untrusted execution paths. The guidance matters because misconfigured workflows, mutable dependencies, and over-permissioned tokens enable secret theft and pipeline compromise.
Lorenzo Franceschi-Bicchierai / TechCrunch : OpenAI says two employee devices were impacted via a supply chain attack on TanStack but no user data or production systems were compromised — Earlier this week, hackers hijacked several open source projects used by dozens of companies and pushed updates designed to spread malware.
Show HN: FixMyNPM, CLI to fix your insecure npm config
A senior developer recounts two fake LinkedIn interview attempts that were actually malware traps. In the first case, a supposed web3 startup contact pushed the author to clone a GitHub repo and open it in VS Code, where embedded tasks.json, package.json, and server code implemented four attack vectors: VS Code folder-open tasks that curl platform-specific scripts, an npm prepare hook that runs server code during npm install, server-side code that exfiltrates process.env to a remote Vercel-hosted API and evaluates returned code for RCE, and a hardwired auth bypass. The author warns readers to never run untrusted repos, rotate secrets if exposed, check persistence, and treat the repo as compromised.
Security researchers linked the May 2026 TanStack npm compromise to a wider self-propagating campaign dubbed Mini Shai-Hulud that targeted npm, PyPI, GitHub Actions, IDE hooks and CI/CD secrets. TanStack published 84 malicious npm versions across 42 @tanstack/* packages (CVE-2026-45321, CVSS 9.6) after attackers exploited a pull_request_target workflow that checked out and executed untrusted fork code, enabling cache poisoning and OIDC token extraction from the Actions runner to perform authenticated publishes. Analysts warn this was not an isolated package compromise but a worm-like supply-chain attack that moves laterally via developer machines, CI caches, and secrets, underscoring the need to avoid executing untrusted PR code in privileged workflows, segregate caches, and tighten OIDC/Actions bindings. The campaign is active and IOCs continue to evolve.
The author migrated personal repositories from GitHub to a self-hosted Forgejo instance, citing ownership, data jurisdiction, and AI-driven product shifts rather than outages alone. The Dutch Ministry of the Interior launched code.overheid.nl on Forgejo v15 LTS for legal ownership and digital autonomy, mirroring the author’s reasoning. GitHub logged 257 incidents from May 2025–April 2026 (48 major), and its CTO said capacity must scale 30x due to agentic AI workload growth. GitHub’s integration into Microsoft’s CoreAI, default opt-in for Copilot data collection without repo-level opt-out, and unresolved US jurisdictional risks under FISA Section 702/CLOUD Act motivated the move. The author now runs Forgejo on a hardened NUC with isolated runners and plans to archive public GitHub repos.
The author migrated personal repositories from GitHub to a self-hosted Forgejo instance, mirroring the Dutch government's April 2026 move to run code.overheid.nl on Forgejo v15 LTS to retain legal ownership and digital autonomy. The decision stems not primarily from GitHub outages but concerns about control: GitHub is now integrated into Microsoft’s CoreAI, lacks separate leadership, and flipped Copilot data collection to opt-in-by-default without repository-level opt-outs. The article recounts frequent high-impact incidents (257 incidents, 48 major in May 2025–Apr 2026) and links reliability problems to rapid AI-driven growth that GitHub says requires 30x capacity expansion. The author details their hardened single-NUC Forgejo setup and plans to archive public GitHub repos to the new host.
Cybercrime group TeamPCP has publicly released the source code for its Windows worm 'Shai-Hulud' on GitHub, researchers report. The leak exposes the malware's propagation, persistence and payload mechanisms, enabling defenders to analyze signatures but also lowering the barrier for copycats to adapt and deploy variants. Security vendors and incident responders now face increased risk of rapid malware proliferation and faster weaponization by other threat actors, while open-source distribution complicates takedown efforts and legal responses. The publication underscores tensions between transparency for defensive research and the operational danger of malicious code becoming widely accessible.
&#32; submitted by &#32; <a href="https://www.reddit.com/user/CircumspectCapybara"> /u/CircumspectCapybara </a> <br/> <span><a href="https://tanstack.com/blog/npm-supply-chain-compromise-postmortem">[link]</a></span> &#32; <span><a href="https://www.reddit.com/r/programming/comments/1tblknw/postmortem_tanstack_npm_supplychain_compromise/">[comments]</a></span>
A coordinated supply-chain attack on May 11–12, 2026 injected malicious code into more than 170 npm packages and two PyPI packages, producing 404 poisoned releases and targeting entire org scopes including TanStack, Mistral AI, UiPath, TallyUI and OpenSearch. The campaign compromised all packages under @tanstack (42 packages), @uipath (65), Mistral’s JS/TS SDK and its Python client, plus Guardrails AI on PyPI; PyPI projects were quarantined. Payloads exfiltrate data, probe cloud metadata and Vault endpoints, and fetch additional code from attacker-controlled domains (notably git-tanstack[.]com). The attack is notable for scale and for spanning npm and PyPI in one campaign, highlighting registry security gaps and the need for install-time protections, stronger repo token hygiene, and faster registry quarantines.
Security teams are responding to a fast-moving supply-chain worm that poisoned 172 npm and PyPI packages starting May 11, delivering a persistence-capable loader that harvests extensive secrets (AWS keys, SSH keys, npm tokens, GitHub PATs, Vault tokens, Kubernetes service accounts, Docker creds, password managers including 1Password/Bitwarden, AI agent configs) and survives package removal via project-file and system daemon persistence. The Mini Shai-Hulud campaign produced 403 malicious versions; high-profile packages like @tanstack/react-router (12.7M weekly downloads) were affected. Attackers abused GitHub Actions/OIDC provenance, cache poisoning, and fork-based commits to obtain valid SLSA Level 3-signed artifacts (CVE-2026-45321, CVSS 9.6). The worm also spread into PyPI (mistralai package) and reads CI memory (/proc/pid/mem). This demonstrates gaps in CI trust scopes, provenance assumptions, and cross-ecosystem mitigations.
RubyGems Under Attack
Malicious versions of multiple TanStack npm packages were published in a supply-chain attack that executed payloads during installation, potentially exfiltrating developer and CI secrets. The incident affected the u/tanstack/* package namespace on npm; attackers reportedly pushed compromised releases that run code at install time, putting credentials and environment variables exposed to local developer machines and continuous-integration runners at risk. This matters because package installs are a common vector for supply-chain compromise, and leaked secrets can enable wider account and infrastructure takeover. Maintainers and dependent projects should audit install scripts, rotate any exposed secrets, and update or revert to verified clean package versions.
Etiido Uko / Tom's Hardware : Microsoft says it is investigating a Mistral AI PyPI package v2.4.6 compromise; the attack is likely part of the Mini Shai-Hulud supply chain attack — The malware reportedly refused to run on Russian-language systems but could execute a destructive payload under certain geographic conditions.
On May 11, 2026, an attacker published 84 malicious npm versions across 42 @tanstack/* packages by exploiting a pull_request_target “Pwn Request” pattern, GitHub Actions cache poisoning across fork↔base trust boundaries, and extracting an OIDC token from the Actions runner. The malicious packages ran an obfuscated router_init.js during npm/yarn/pnpm install that harvested cloud, GitHub, npm, Vault, SSH and other credentials, exfiltrated via the Session/Oxen file-upload network, and self-propagated by republishing other maintainer packages. No npm publish credentials were found stolen and the npm publish workflow itself appears uncompromised. External researcher ashishkurmi/stepsecurity detected the packages within 20 minutes; all affected versions are deprecated and npm security is removing tarballs. Users who installed on May 11 should assume host compromise and rotate reachable secrets.
TanStack disclosed a May 11, 2026 supply-chain attack that published 84 malicious versions across 42 @tanstack/* npm packages in a ~6-minute window. The attacker combined a pull_request_target “Pwn Request” pattern, GitHub Actions cache poisoning across fork↔base trust boundaries, and runtime memory extraction of an OIDC token from the Actions runner to get code into published packages; npm publish itself and npm tokens appear uncompromised. An external researcher flagged the packages within 20 minutes; all malicious releases have been deprecated and npm is removing tarballs. The payload ran during npm install, harvesting AWS/GCP/Kubernetes/Vault/npm/GitHub/SSH credentials, exfiltrating via the Session/Oxen file network, and self-propagating by republishing packages. Users who installed packages on 2026-05-11 should treat hosts as compromised and rotate secrets.
A coordinated supply-chain attack on May 11, 2026 injected malicious versions into more than 170 npm packages and two PyPI packages, producing 404 hostile releases that hit major ecosystems including TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI. The attacker compromised entire package scopes (@tanstack, @uipath, @squawk, @tallyui, etc.), used GitHub API abuse to push poisoned commits, and embedded C2/exfiltration hooks and runtime downloaders. PyPI malware used a Python dropper that fetched transformers.pyz from an attacker-controlled domain (git-tanstack[.]com); PyPI quarantined the affected projects. This is notable for its scale, cross-registry reach, and focus on organization-wide scope compromise, raising urgent supply-chain and dev-tooling security concerns for developers, CI/CD pipelines, and downstream consumers.
The article explains the shift from DevOps to DevSecOps, arguing modern software delivery must balance speed with integrated security. It outlines DevOps principles—CI, CD, IaC, and monitoring—and lists common tools like GitHub Actions, Jenkins, Terraform, Datadog, and Grafana. DevSecOps is defined as embedding security throughout the pipeline (scan → test → secure → deploy → monitor) so vulnerabilities are caught early. The piece highlights contemporary threats — supply-chain attacks, secret leaks, vulnerable containers, dependency poisoning, and CI/CD compromises — and emphasizes automated security scanning (secret scanning, dependency and container scanning, static analysis, IaC checks) with tools such as Snyk and SonarSource. A GitHub repo for a 30-day DevSecOps journey is provided.
NPM 又被投毒,TanStack、Mistral AI、UiPath 等受波及,可窃取云密钥/SSH 密钥与 GitHub 令牌
Security researchers disclosed a large npm supply-chain campaign that pushed over 400 malicious versions across more than 170 packages without compromising maintainer accounts. Notable brands targeted include TanStack and Mistral AI, among many smaller libraries; the attack relied on publishing new malicious package versions rather than hijacking existing maintainer credentials. The incident matters because widespread npm dependencies can cause rapid downstream compromise for applications and CI pipelines, highlighting gaps in package vetting and the need for stronger registry protections, dependency auditing, and supply-chain defenses. Developers and organizations should audit dependencies, pin versions, and use tools like safedep and automated scanning to detect and remediate tainted packages.