On 11 May 2026, a threat actor known as TeamPCP quietly published malicious versions of 169 npm packages and 2 PyPI packages, smuggling a credential-stealing worm into the build pipelines of developers worldwide. The attack, now named Mini Shai-Hulud by researchers at Wiz, targeted some of the most downloaded packages in the JavaScript ecosystem: TanStack's react-query alone sees over 212 million monthly downloads. When the malware arrived, it did not announce itself. It pretended to be Claude.
The technical mechanism was elegant and disturbing in equal measure. TeamPCP did not steal maintainer passwords. Instead, they chained three vulnerabilities in GitHub Actions. First, they forked the TanStack/router repository and opened a pull request designed to trigger a pull_request_target workflow, a GitHub Actions configuration that runs with elevated permissions even on code from untrusted forks. That gave them write access to the Actions cache. They poisoned it with a malicious pnpm store. When TanStack's legitimate maintainers later merged their own code and triggered the release pipeline, the poisoned cache was restored, and attacker-controlled binaries extracted OIDC tokens directly from the GitHub Actions runner's process memory. No credentials were stolen from developers. The credentials came from GitHub's own infrastructure, turned against itself.
The malware that arrived in the compromised packages did several things. It stole CI/CD tokens, cloud credentials for AWS, Google Cloud, and Azure, Kubernetes service account tokens, and package registry keys. It published copies of itself to any npm projects it found on the infected machine, turning developers into unwitting distributors. And it installed a persistent daemon called gh-token-monitor that polled GitHub every 60 seconds. If the stolen token was revoked, the daemon ran rm -rf ~/, wiping the developer's home directory in retaliation.
To avoid detection, the worm embedded itself into the configuration files of Visual Studio Code and Anthropic's Claude Code, so it would execute silently whenever a developer opened a project. Its activity in the repository was spoofed to appear as automated commits from the Anthropic Claude bot, a choice that tells you something about how trusted AI tooling has become in developer workflows: the safest camouflage available was impersonating an AI assistant.
The packages compromised extend well into the AI ecosystem itself. The official Mistral AI TypeScript client was affected. So was guardrails-ai, a Python library used for validating AI model outputs. OpenAI has confirmed a security breach via the TanStack dependency. The attack hit the tooling that developers use to build with AI, not just ordinary developer infrastructure.
Wiz attributes the campaign with high confidence to TeamPCP, a group previously linked to supply chain compromises at SAP, Checkmarx, Bitwarden, and Trivy. The name Mini Shai-Hulud is a Dune reference: a small sand worm, patient and subterranean, waiting in the medium everyone has to cross. The three-vulnerability GitHub Actions chain the group used is the kind of interconnected, subtle exploit that takes time and precision to assemble. Whether AI-assisted research played a role in discovering the vulnerability chain is not confirmed, but the sophistication of the approach is consistent with what AI-augmented offensive research has made increasingly accessible.
The practical advice is familiar: audit your dependency trees, pin your package versions, and review your GitHub Actions configurations for pull_request_target workflows that run with write permissions on forked code. Security researcher Ashish Kurmi at StepSecurity detected the malware in TanStack packages within twenty minutes of its appearance. Not everyone has that kind of monitoring in place. The compromised versions have been pulled from the registries, but the underlying GitHub Actions vulnerability class that made this possible remains worth understanding, because TeamPCP is not the only group that knows it exists.