What happened
On May 11–12, 2026 a self-propagating worm dubbed Mini Shai-Hulud (attributed to TeamPCP) compromised 160+ npm and PyPI packages including @tanstack/react-router (~12M weekly downloads), mistralai, UiPath SDKs, and Guardrails AI. This is the first documented npm worm to produce validly-attested malicious packages, defeating attestation-based trust signals.
How it works
Malicious versions install a preinstall hook that runs on npm install. The payload:
- Steals GitHub tokens, npm tokens, AWS/GCP/Azure credentials, Kubernetes SA tokens, HashiCorp Vault tokens, and arbitrary env vars.
- Enumerates packages the victim has publish access to, injects the same payload, bumps versions, and publishes — self-propagating.
- Installs persistence in Claude Code and VS Code so it survives reboots and re-runs on every IDE launch.
Affected
@tanstack/react-router,@tanstack/react-querymalicious releases between May 11 09:55 UTC and May 12 12:14 UTC.- Mistral AI npm SDKs.
- UiPath SDKs.
- Guardrails AI.
- Full list maintained by Wiz / StepSecurity (see references).