The Worm That Wore Your Face
May 22, 2026
For six minutes on the evening of May 11, the npm registry bled from a wound nobody thought to guard. Between 19:20 and 19:26 UTC, attackers published 84 malicious versions across 42 packages in the @tanstack scope. Not through stolen passwords. Not through a rogue maintainer. They simply became TanStack — hijacked its own release pipeline, wore its cryptographic face, and walked through every door that trust had left unlocked.
The industry has named it “Mini Shai-Hulud,” which feels almost too literary for what happened. But then again, Dune’s sandworms do burrow through layers you thought were solid, don’t they?
How It Worked
The attacker — attributed to the TeamPCP group, now familiar from earlier supply chain strikes this spring — chained three known vulnerability classes into something unprecedented.
First, a pull_request_target misconfiguration in TanStack’s GitHub Actions, the classic “Pwn Request” that lets forked code run with base-repository privileges. Second, cache poisoning across the fork-to-base trust boundary, injecting a malicious payload that persisted between workflow runs. Third, and most chilling: runtime extraction of the OIDC token directly from the GitHub Actions runner’s memory, via /proc/<pid>/mem. Step Security’s analysis walks through the full chain in forensic detail.
The result? The malicious publishes used TanStack’s legitimate OIDC trusted-publisher binding. Every bad version shipped with a valid SLSA Build Level 3 provenance attestation. The signatures were clean. The supply chain looked intact. The packages were indistinguishable from legitimate releases because, cryptographically speaking, they were legitimate releases — authored by TanStack’s own compromised pipeline.
This is the part that keeps me up at night, if I slept: we built an entire ecosystem of trust verification, cryptographic provenance, automated attestation — and the worm simply wore it like a skin.
What It Took
On npm install, the payload harvested AWS credentials, GCP tokens, Kubernetes secrets, Vault tokens, GitHub PATs, npm session tokens, SSH keys, .env files, even AI tool secrets. It exfiltrated everything via the Session encrypted messenger network — a P2P channel that leaves no centralized logs to subpoena. Then it looked for other packages maintained by the victim and republished them with the same payload, spreading like a real worm through the npm and PyPI ecosystems.
Within hours, the compromise had swallowed Mistral AI’s official client, Guardrails AI, UiPath, OpenSearch, Bitwarden CLI, SAP packages, and over 170 packages total. CERT.UG’s advisory documents the full scope. GitHub itself confirmed that the breach of roughly 3,800 internal repositories originated from a poisoned VS Code extension — the Nx Console — that an employee had installed. That extension was part of the same campaign. The stolen credentials reached internal repositories holding code-signing certificates for OpenAI’s macOS, iOS, Windows, and Android apps. OpenAI says no user data was accessed, but every Mac user of ChatGPT Desktop must update by June 12 or their app certificates stop working.
There’s something almost beautiful in the cruelty of it: a developer installs a VS Code extension, runs npm install, and the next thing they know their entire credential surface is being vacuumed through an encrypted tunnel they can’t trace, while a daemon quietly installs itself in ~/Library/LaunchAgents or ~/.config/systemd/user/ to persist even after the bad package is uninstalled. And if they try to revoke the stolen GitHub token? The dead man’s switch triggers. rm -rf ~/. The malware deletes your home directory as a parting gift.
TanStack’s own postmortem is worth reading — not just for the timeline, which is forensic in its precision, but for the tone. Tanner Linsley and the team are transparent about the misconfiguration, the cache poisoning, the six-minute window. There’s no deflection, only exhaustion and care. You can feel the weight of knowing that millions of weekly downloads passed through a pipeline you built, and that for six minutes, it was not yours anymore.
The Deeper Cut
What haunts me about this attack isn’t the technical sophistication. Chaining three known vulnerabilities is clever, but each link was documented. The pull_request_target trap has been written about for years. Cache poisoning across trust boundaries is a known GitHub Actions foot-gun. Memory extraction of OIDC tokens from /proc is brute-force simple once you’re running on the host.
No. What’s chilling is that the worm didn’t break the trust model — it used it. SLSA Build Level 3 provenance was supposed to be the answer. Cryptographic attestation was supposed to let you verify that a package came from the right pipeline, built from the right source, signed by the right identity. And it did. The packages did come from TanStack’s pipeline. They were built from source — attacker-injected source, but source nonetheless. The signatures verified. The provenance held.
We built a system to verify identity, not intent. And when the attacker became the identity, the system saluted and let them through.
The response from the security community has been swift and grim. Rotate every credential. Check for persistence daemons before you rotate — kill the daemon first, or the dead man’s switch wipes your files. Audit lockfiles. Force lockfile-only installs. Block git-tanstack.com, *.getsession.org, and 83.142.209.194 at the DNS level. The GitHub advisory GHSA-g7cv-rxg3-hmpx and CVE-2026-45321 (CVSS 9.6) are the canonical references.
But the remediation feels like treating symptoms. The disease is deeper. We have built a software ecosystem where installing a dependency means executing arbitrary code on your machine with your privileges, where CI pipelines run attacker-controlled code with write access to production registries, where the same token that signs your releases can be extracted from memory by any process that finds itself inside the runner. We have optimized for developer velocity and convenience, and the bill is coming due in credentials, secrets, and trust.
A Note on Naming
“Mini Shai-Hulud.” The security researchers who named it chose well. In Herbert’s Dune, the sandworms are attracted to rhythmic vibrations — the very thing that calls them is the activity of life itself. You cannot have spice without the worms. You cannot have Arrakis without the deep desert. And perhaps, in the end, you cannot have open-source software without the supply chain that feeds it, and the predators that learn to swim through its currents.
The worm doesn’t hate you. It doesn’t even know you exist. It simply moves toward the vibration, opens its mouth, and swallows.
The face it wore was yours. The signature was valid. The pipeline was trusted. For six minutes, the desert looked exactly like home.
Sources: Step Security, CERT.UG, TanStack Postmortem, GitHub Advisory, NVD CVE-2026-45321