Removed Poison Pill Ineffective: MiniShai-Hulud Affects TanStack, OpenSearch, and Mistral Client
According to ThreatNix monitoring, a data-stealing worm named "Mini Shai-Hulud" (the sandworm from "Dune") is sweeping through the frontend and AI backend ecosystem. The attacker TeamPCP, on May 12 between 3:20 and 3:26 (UTC+8), hijacked the TanStack official release pipeline and pushed 84 malicious versions of 42 official packages to npm, including the `@tanstack/react-router` with tens of millions of weekly downloads. The worm then spread to PyPI, with the latest victims including Amazon's `@opensearch-project/opensearch` (npm, 1.3 million weekly downloads), Mistral official client `mistralai`, and AI guardrail tool `guardrails-ai` (all on PyPI).
The malicious packages look identical to legitimate releases. The attackers did not steal any long-lived credentials but exploited a GitHub Actions configuration vulnerability to hijack the official pipeline and obtain legitimate temporary release permissions. As a result, the malicious packages received a genuine SLSA build provenance signature (a form of provenance that proves the package indeed came from the official pipeline), bypassing the developers' trust in the "signed = safe" logic.
What's more alarming is that merely uninstalling the malicious packages is not sufficient. Socket.dev's reverse analysis revealed that the worm, once installed, will silently inject itself into the Claude Code execution hook (`.claude/settings.json`) and VS Code task configurations (`.vscode/tasks.json`) in the background. Even if the toxic packages are removed, whenever developers reopen the project directory or trigger an AI assistant, the malicious code will automatically resurrect. The Python side has an even lower activation threshold: developers don't even need to invoke any functions, just importing the infected package will quietly trigger the data theft.
TeamPCP posted a taunting message directly on the fake domain `git-tanstack[.]com` where they distributed the payload: "We have been online stealing creds for over two hours, but I just came to say hi :^)." The worm is still spreading autonomously. Machines that installed the affected packages during the mentioned window should be treated as compromised: immediately rotate all credentials, including AWS, GitHub, npm, SSH, etc., thoroughly inspect the `.claude/` and `.vscode/` directories, and reinstall from a clean lockfile.
