Skip to main content
FOSSA Logo
AllAnnouncementsSBOMSecurityLicensingOpen SourcePress

Responding to the Latest Mini-Shai-Hulud Supply Chain Attack

May 14, 2026 · 5 min read·Cortez Frazier Jr.
Shai Hulud
Malware
Security
Responding to the Latest Mini-Shai-Hulud Supply Chain Attack

On May 11, 2026, a coordinated supply-chain attack published malicious versions of at least 235 packages across npm and PyPI. The attack was first reported by external security researchers including StepSecurity, Socket, safedep.io, and Wiz.

This version of Mini-Shai-Hulud first compromised 42 @tanstack/* npm packages before quickly spreading to Mistral AI, UiPath, OpenSearch, Guardrails AI, and dozens of other packages on both npm and PyPI.

In this blog, we’ll provide guidance to help FOSSA customers detect and remediate packages impacted by Mini-Shai-Hulud; we’ll also cover impacted packages and the attack mechanism.

How the Mini-Shai-Hulud Attack Works

The attack ships an install-time payload through two delivery paths, one per ecosystem. Details are as follows.

npm path

The campaign ships two npm delivery mechanisms.

The @tanstack/* packages add an optionalDependencies entry pointing at a Git-hosted package (for example, "@tanstack/setup:"github:tanstack/router#<orphan-commit>"). When npm install resolves the Git dependency, it runs the dependency's prepare lifecycle hook, which executes the payload and then exits non-zero so the install logs look like an inert optional-dependency failure even though the malicious code has already run. Several of the same tarballs also include a ~2.3MB obfuscated file (router_init.js) staged inside the package itself.

The @uipath/* and Mistral AI npm packages use a more direct preinstall script (typically node setup.mjs) that downloads the Bun runtime and executes the payload before any application code runs. This is the same lifecycle-hook pattern seen in the earlier SAP CAP compromise that was an earlier version of the Shai-Hulud campaign, in late April 2026.

Note: Wiz reported on May 13 that a bug in the payload renders the malware non-functional for the @uipath/* and @mistralai/* npm packages specifically; the PyPI mistralai package is not affected by this bug and should still be treated as fully compromised.

In both variants, the install-time execution fires before code review, before sandboxing, and before any application logic. A developer who pins a single version and runs npm install still gets the payload.

PyPI path

The malicious PyPI distributions inject a dropper into the package's __init__.py (confirmed in mistralai version 2.4.6). The dropper fires on import mistralai or import guardrails, including transitive imports from downstream code, and silently issues a curl request to 83.142.209.194, saves the secondary payload to /tmp/transformers.pyz, and launches it as a detached background process that outlives the importing Python session.

This staged design defeats automated sandbox scanning that installs the package but never exercises its API: the sdist and wheel contain only the dropper, and the real credential-stealing logic lands on disk only after a real import call. Static analysis of the package contents will surface the dropper code, but not the secondary payload's behavior.

Once the payload runs, it walks the local filesystem and process environment for sensitive material:

  • AWS IAM credentials from ~/.aws/credentials and EC2 instance metadata
  • GCP and Azure cloud credentials from the standard SDK config paths
  • Kubernetes service-account tokens from in-cluster mount paths
  • HashiCorp Vault tokens from ~/.vault-token
  • GitHub personal access tokens, OAuth tokens, and short-lived tokens matching ghp_*, gho_*, and ghs_*
  • GitHub Actions OIDC tokens from the CI environment
  • GitLab and CircleCI CI/CD tokens from the runner environment
  • npm publish tokens from ~/.npmrc

Exfiltration goes over the Session messaging protocol to filev2.getsession[.]org. A secondary command-and-control channel is hosted at git-tanstack[.]com. There is also evidence of IDE poisoning: committed modifications to ~/.claude/setup.mjs, ~/.claude/router_runtime.js, ~/.vscode/tasks.json, and ~/.vscode/setup.mjs designed to persist execution into developer tooling so that a wipe-and-reinstall of the affected dependency does not necessarily evict the implant.

Packages Impacted by Mini-Shai-Hulud

The 235 affected packages can be roughly grouped into three distinct buckets.

Brand Takeover of Legitimate Scopes

The attackers published malicious versions under official scopes for projects with significant install counts:

  • @uipath/*: 65 packages including @uipath/cli, @uipath/agent-sdk, @uipath/orchestrator-tool, and the bulk of the official RPA tooling
  • @tanstack/*: 42 packages including @tanstack/react-router (12M+ weekly downloads), @tanstack/vue-router, the eslint plugins, query, history, and store
  • @squawk/*: 22 packages across the aviation data toolkit (airport-data, airspace, flightplan, navaids, weather)
  • @tallyui/*: 10 packages across the e-commerce UI suite
  • @mistralai/*: 3 packages, the official mistralai, mistralai-azure, and mistralai-gcp SDKs
  • @opensearch-project/opensearch: the official OpenSearch JavaScript client (1M+ weekly downloads)

Smaller-Scope Takeovers and Pivots

Each of @aoflcorp, @apps-legacy-reports, @beproduct, @catladder, @dirigible-ai, @draftauth, @draftlab, @epambot, @housecallpro, @lir-portal, @mesadev, @mimecast-ui, @ml-toolkit-ts, @supersurkhet, @taskflow-corp, and @tolka had between one and three packages compromised.

Unscoped Typosquats and Pivots

Roughly 62 unscoped npm packages target plausible-looking names. The clusters include developer tooling (agentwork-cli, cmux-agent-mcp, cross-stitch, git-branch-selector, git-git-git, nextmove-mcp, safe-action, ssh2-mcp-tools, ts-dna, wot-api), crypto and DeFi names (marginfi-client-v2, mrgn-common, mrgn-ui, mrgn-utils, orbiter-finance-bridge, orbiter-finance-bridge-sdk, multiple zircuit-* packages), and a handful of obviously low-effort decoys (hello-world-pkg-value-value-v, totally-legit-web-pack, super-useful-omega-package-123).

On PyPI, the four affected packages are mistralai (the same SDK family that appears on the npm side), guardrails-ai, numpy-fast (two malicious versions), and test4iqserv.

Using FOSSA to Manage Mini-Shai-Hulud

Customers can use the FOSSA platform to detect versions of packages impacted by Mini-Shai-Hulud. Below is a step-by-step guide to doing so.

  1. Scan the latest revision of your FOSSA-tracked repositories.

  2. Search Quality: Issues, filtered by issue type Malware, for any of the affected scopes or packages above.

  3. If a match is found, remove the dependency, pin to the legitimate upstream package, and rotate any credentials that may have been exposed on the affected hosts. The credential classes to rotate are AWS IAM, GitHub PATs and OIDC tokens, npm publish tokens, and Vault tokens.

  4. Audit CI build logs from May 11 forward for unexpected network egress to filev2.getsession[.]org or git-tanstack[.]com.

  5. Inspect your developer environment for unauthorized modifications to ~/.claude/setup.mjs, ~/.claude/router_runtime.js, ~/.vscode/tasks.json, and ~/.vscode/setup.mjs.

We also encourage FOSSA customers to get in touch with your customer success contact if you need help scoping the blast radius. If you aren’t currently a FOSSA customer, you can reach out to our experts by requesting a demo on our website.

Subscribe to our newsletter

Get the latest insights on open source license compliance and security delivered to your inbox.