How Mini Shai-Hulud worm moved through supply chain, impacting GitHub, Nx Console, & TanStack

The report details a sophisticated supply-chain campaign (Mini Shai-Hulud) attributed to TeamPCP that poisoned GitHub Actions caches and abused trusted CI/CD and publishing workflows to steal OIDC tokens and credentials, publish malicious npm/VS Code artifacts, and deploy an infostealing Python backdoor; the compromise led to widespread downstream impact (including ~3,800 GitHub repositories and multiple vendor breaches) and highlighted that inherited trust in CI, provenance, and signing can be weaponized.