TeamPCP Hits TanStack, OpenSearch, and Mistral with Mini Shai-Hulud
ID: ead6b3bf-4934-5176-84c9-74f90fcfaffb
STIX ID: report--ead6b3bf-4934-5176-84c9-74f90fcfaffb
Feed Name: OpenSourceMalware Blog
Date Published: 2026-05-13
Date Updated: 2026-06-20
Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2
TeamPCP's "Mini Shai‑Hulud" is a self‑propagating npm supply‑chain worm that compromised 170 npm packages (19 namespaces) — including high‑impact packages like @opensearch-project/opensearch and Mistral clients — and crossed into PyPI; the worm steals CI credentials via an orphaned TanStack CI run (OIDC token theft), mints publish tokens, republishes packages with valid Sigstore provenance, exfiltrates harvested secrets over the Session P2P network, and persists by injecting files and GitHub workflow commits into downstream repositories, with full IOCs and remediation steps provided.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
