A coordinated “Mini Shai-Hulud” campaign compromised over 170 open-source NPM and PyPI packages by abusing GitHub Actions, OIDC trust, and SLSA provenance signing to distribute malware disguised as legitimate software updates.
A massive open-source software supply-chain attack has compromised more than 170 NPM and PyPI packages linked to major projects including TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI.
The “Mini Shai-Hulud” campaign, linked to hacking group TeamPCP, published more than 401 malicious package artefacts within five hours by exploiting trusted open-source CI/CD pipelines and GitHub Actions workflows.
The attackers abused GitHub OIDC federation, cache poisoning, and pull_request_target workflow misconfigurations to bypass normal publishing controls and distribute malicious packages carrying valid SLSA provenance signatures, making them appear cryptographically authentic.
“The attacker chained three known vulnerability classes — a pull_request_target ‘Pwn Request’ misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process,” TanStack said.
According to Snyk, “SLSA provenance is a cryptographic certificate, generated by Sigstore, that is meant to verify a package was built from a trusted source. The worm was able to produce these certificates because it hijacked the legitimate build pipeline itself.”
The malware harvested developer credentials, API keys, cloud secrets, cryptocurrency wallets, and AI-tool credentials, while also propagating itself using stolen GitHub and NPM tokens. Researchers said the malware additionally used decentralised Session network infrastructure for takedown-resistant data exfiltration.
