Table of Contents

On May 11, 2026, a worm quietly burrowed into the npm ecosystem. Within 6 minutes, 42 TanStack packages were compromised. This wasn’t a zero-day exploit — it was a precisely engineered supply chain attack carrying something no malicious package had ever possessed before: a valid SLSA Build Level 3 provenance attestation.

TL;DR

  • Attack codename: Mini Shai-Hulud, executed by the TeamPCP group
  • Timeline: May 11, 2026 — attack completed in under 6 minutes
  • Direct impact: 42 TanStack npm packages compromised
  • Total scope: 170+ npm/PyPI packages affected
  • Scale: Cumulative download count exceeding 518 million
  • Technical first: First malicious package cluster with valid SLSA Build Level 3 provenance
  • Attack chain: GitHub Actions pull_request_target cache poisoning → OIDC token extracted from /proc/<pid>/mem → self-propagating worm

What Happened

TeamPCP launched the Mini Shai-Hulud supply chain attack targeting TanStack — the widely-used frontend toolkit family including TanStack Query (formerly React Query), TanStack Router, and TanStack Table.

Rather than directly compromising TanStack’s source code, the attackers exploited a structural weakness in GitHub Actions workflow configuration: the pull_request_target event trigger. This trigger executes workflows in the context of the base branch with elevated permissions, and through cache poisoning, attackers injected malicious code into a trusted workflow execution environment.

Once inside, the attack read OIDC (OpenID Connect) tokens directly from /proc/<pid>/mem — the Linux in-memory filesystem. These tokens are GitHub Actions’ credentials for authenticating package publications to registries like npm. With a valid token, the attackers could publish packages as the official TanStack identity.

The worm component then enabled self-propagation: malicious code spread laterally from one package to its dependencies, sweeping through 42 packages in 6 minutes and ultimately affecting 170+ packages across npm and PyPI.

Why This Matters

Download counts represent real exposure

518 million cumulative downloads is not a theoretical number. Modern CI/CD pipelines reinstall dependencies on every build. Any project that installed affected packages during the attack window may have executed malicious code in development machines or build environments.

SLSA provenance weaponized

SLSA (Supply chain Levels for Software Artifacts) is Google’s supply chain security framework; Build Level 3 certifies that the build process is auditable and tamper-proof. Many security tools and policies use SLSA provenance as a trust signal.

Mini Shai-Hulud is the first malicious package cluster with valid SLSA Build Level 3 provenance. The attackers obtained a legitimate attestation by hijacking a legitimate build process — a fundamental crack in the “trust the signature” assumption.

Worm behavior changes the threat model

Previous supply chain attacks were largely passive: plant the malicious package and wait for downloads. Mini Shai-Hulud’s worm behavior made the attack actively propagate, compressing the defensive response window to minutes. No human monitoring system can react at that speed.

Technical Perspective

Attack flow

graph TD
    A[Attacker submits malicious PR] --> B[Triggers pull_request_target workflow]
    B --> C[Cache poisoning injects malicious code]
    C --> D[Executes in trusted environment]
    D --> E[Reads OIDC token from /proc/pid/mem]
    E --> F[Publishes malicious versions as legitimate identity]
    F --> G[Worm self-propagates to dependent packages]
    G --> H[42 packages compromised in 6 minutes]

The pull_request_target trap

pull_request_target was designed to let external PRs trigger limited workflows (such as applying labels), but it executes in the base branch context with access to secrets and tokens. Many projects combined this trigger with build steps for convenience, inadvertently opening a backdoor.

The fix: strictly limit pull_request_target workflows to lightweight tasks that require no secrets. Build and publish pipelines should be triggered by push to protected branches only.

In-memory token extraction

Linux’s /proc virtual filesystem allows processes with sufficient permissions to read the memory of other processes. In GitHub Actions’ shared execution environment, this provides a channel to bypass environment variable protections and extract tokens directly from memory — a known technique with demonstrated real-world destructive impact in CI/CD environments.

Points to Watch

  1. Platform-level defenses from npm and GitHub: Will npm introduce stricter publish rate limits or anomaly detection? Will GitHub modify the default behavior of pull_request_target?

  2. SLSA framework revision: After provenance was weaponized, the SLSA community needs to reconsider its trust model. A signature proving “the build process was legitimate” is not enough — we also need to verify “was the person who triggered the build authorized to do so?”

  3. Worm-based supply chain attacks becoming normalized: Mini Shai-Hulud’s successful demonstration may spawn imitators. Self-propagation capability significantly raises the threat level of supply chain attacks.

  4. Damage assessment for affected packages: What did the malicious versions actually execute in active CI environments? Data exfiltration, backdoor implantation, or proof-of-concept only? Full post-incident reports are worth tracking.

References

🇺🇸 English

On May 11, 2026, a worm quietly burrowed into the npm ecosystem. Forty-two TanStack packages — compromised in under six minutes. And the thing that made this attack truly unprecedented wasn't the speed, wasn't even the scale. It was that the malicious packages came with a valid, legitimate security certification. The attackers didn't just break in — they got the building's official stamp of approval on their way out.

This is the story of Mini Shai-Hulud.

The attack was carried out by a group called TeamPCP, targeting TanStack — the widely-used frontend toolkit family. If you've built anything with React in the last few years, you've almost certainly used TanStack Query, TanStack Router, or TanStack Table. These are foundational packages. The kind that sit deep in your dependency tree, quietly doing their job, trusted by default.

So how did the attackers get in?

They didn't compromise TanStack's source code directly. Instead, they exploited a structural weakness in how GitHub Actions workflows are configured. Specifically, a workflow trigger called `pull_request_target`. Here's why that's dangerous: this trigger was designed to let pull requests from external contributors kick off limited, low-privilege tasks — things like adding labels to a PR. But it runs in the context of the base branch, meaning it has access to secrets and elevated permissions. Many projects, for convenience, also attached build and publish steps to this trigger. That combination created a backdoor.

The attackers submitted a malicious pull request. That triggered the workflow. Through a technique called cache poisoning, they injected malicious code into that trusted execution environment. And once they were executing inside a trusted environment, they did something clever and frankly alarming — they read authentication tokens directly out of memory.

GitHub Actions uses something called OIDC tokens to authenticate package publications to registries like npm. These tokens live in memory during a workflow run. Linux has a virtual filesystem under slash proc that, with the right permissions, lets processes read the memory of other processes. In a shared CI environment like GitHub Actions, that's a real attack surface. The attackers pulled the token straight from memory, bypassing any environment variable protections entirely.

Now they had a valid npm publishing credential. They published malicious versions of TanStack packages under the official TanStack identity. And then the worm component kicked in.

This is what separates Mini Shai-Hulud from previous supply chain attacks. Most supply chain attacks are passive — plant the bad package, wait for downloads. This one was active. The malicious code spread laterally from one package to its dependencies, self-propagating through the dependency graph. Forty-two packages in six minutes. One hundred and seventy-plus packages across npm and PyPI when you account for the full downstream scope. Cumulative download count: over 518 million.

That 518 million number isn't theoretical. Modern CI/CD pipelines reinstall dependencies on every single build. Any project that pulled those packages during the attack window may have executed malicious code — not in production necessarily, but in development machines and build environments. That's still a serious exposure.

Now, here's the detail that made the security community do a double-take. The malicious packages came with valid SLSA Build Level 3 provenance.

SLSA — pronounced "salsa" — is Google's supply chain security framework. Build Level 3 is a high bar. It certifies that the build process was auditable and tamper-proof. A lot of security tooling and organizational policy treats SLSA provenance as a hard trust signal. If the provenance says it's clean, it passes the gate.

Mini Shai-Hulud is the first malicious package cluster to carry valid SLSA Build Level 3 attestation. The attackers didn't forge anything — they hijacked a legitimate build process and let it generate a legitimate attestation for malicious code. The certificate is real. The build process was real. The identity was stolen. That's a fundamental crack in the "trust the signature" assumption that underpins a lot of modern supply chain security thinking.

The deeper implication is this: SLSA provenance answers the question "was the build process legitimate?" It doesn't answer "was the person who triggered the build authorized to do so?" After this attack, the SLSA community needs to revisit that distinction seriously.

A few things to watch going forward. First, whether npm introduces stricter publish rate limits or anomaly detection — forty-two packages in six minutes should be a detectable signal. Second, whether GitHub changes the default behavior of `pull_request_target` to make the dangerous pattern harder to fall into accidentally. Third, and most concerning: this attack demonstrated that worm-based supply chain propagation works. That successful demonstration is a template. Imitators will follow.

The full post-incident picture is still emerging — what the malicious versions actually executed in active CI environments, whether we're talking data exfiltration, backdoor implantation, or a proof-of-concept demonstration. Those details matter enormously.

So the three things to take away from this. One: worm behavior in supply chain attacks compresses the response window from days to minutes — no human monitoring system is fast enough, which means automated detection has to get there first. Two: a valid provenance signature is no longer sufficient as a trust signal on its own — the authorization of who triggered the build matters just as much as the integrity of the build itself. Three: `pull_request_target` combined with publish permissions is a loaded gun. If you maintain any open source project on GitHub, audit your workflows today. The fix is simple — limit that trigger to tasks that genuinely need no secrets, and keep your publish pipeline on protected branch pushes only.

The worm has been named. The technique is documented. The question now is how fast the ecosystem responds before the next one.

🇹🇼 中文

2026 年 5 月 11 日,一隻蠕蟲爬進了 npm 生態系。六分鐘之內,42 個 TanStack 套件全數淪陷。這場攻擊的代號叫 Mini Shai-Hulud,執行者是一個叫 TeamPCP 的組織。

先說規模:整體波及超過 170 個 npm 和 PyPI 套件,累計下載量超過五億一千八百萬次。這不是個小數字——現代 CI/CD 每次 build 都會重新裝依賴,企業環境一天輕易就幾百萬次下載,受攻擊期間裝了這些套件的專案,開發機或建置環境都可能執行了惡意程式碼。

那攻擊者怎麼做到的?

TanStack 你一定認識——TanStack Query、TanStack Router、TanStack Table,現代前端幾乎到處都在用。攻擊者沒有直接入侵 TanStack 的 repo,而是盯上了 GitHub Actions 工作流程裡一個叫 `pull_request_target` 的觸發條件。

這個事件的設計本意是讓外部 PR 能觸發有限度的自動化任務,比如幫 PR 加標籤。問題在於它在 base branch 的上下文執行,可以存取機密和 token。很多專案為了方便,把這個觸發條件和完整的建置流程綁在一起,無意間開了一道後門。

攻擊者透過 cache poisoning,也就是快取投毒,把惡意程式碼注入進工作流程的執行環境。一旦代碼開始跑,接下來就是讀取 OIDC token。

OIDC token 是 GitHub Actions 向 npm 這類套件倉庫證明身份用的憑證。攻擊者從 Linux 的 `/proc` 虛擬檔案系統裡,直接讀取其他程序的記憶體空間來抓這個 token。這個技術本身不新,但在 CI/CD 環境裡用,破壞力相當直接——你拿到 token,就等於拿到了以 TanStack 官方名義發布套件的能力。

然後是蠕蟲最關鍵的部分:自我傳播。惡意程式碼設計了一套機制,讓攻擊從一個套件跳躍到相關的依賴套件,六分鐘橫掃 42 個,最終蔓延到 170 個以上。傳統供應鏈攻擊是靜態的,植入後等人下載;這次是主動出擊,速度遠超過任何人工監控能反應的極限。

還有一件讓這次攻擊特別值得關注的事:這是史上第一個帶著有效 SLSA Build Level 3 provenance 的惡意套件群。

SLSA 是 Google 主導設計的供應鏈安全框架,Build Level 3 代表建置過程可稽核、不可竄改。很多安全工具和企業政策會用「有沒有 SLSA provenance」來判斷一個套件可不可信。但這次攻擊者透過劫持合法的建置流程,拿到了合法的簽章——這讓「信任鏈」這個假設出現了根本性裂縫。光靠簽章證明「建置過程合法」是不夠的,你還得知道「觸發建置的人有沒有被授權」。

後續有幾個值得持續關注的方向。

npm 和 GitHub 的平台層會怎麼回應?會不會加入發布頻率限制或異常偵測?GitHub 會不會修改 `pull_request_target` 的預設行為?SLSA 社群又要怎麼修訂信任模型?

還有一個更現實的問題:Mini Shai-Hulud 示範成功之後,自我傳播型供應鏈攻擊可能迎來更多模仿者。這次的蠕蟲特性,讓供應鏈攻擊的威脅等級直接跳了一個量級。

總結三個核心要點:

第一,`pull_request_target` 加建置流程的組合是高風險的,建置和發布應該改用推送到受保護分支作為觸發條件,別把對外 PR 和有機密存取的工作流程混在一起。

第二,SLSA provenance 被武器化了。它依然有價值,但它現在只能告訴你建置過程本身沒被動手腳,不能告訴你發起建置的人有沒有問題。信任模型需要更新。

第三,供應鏈攻擊正在蠕蟲化。六分鐘、42 個套件,這個速度讓任何依賴人工監控的防禦都跟不上。自動化偵測和快速撤版機制,從現在起是必需品,不是加分項。

Tags

#npm#supply-chain-security#github-actions#oidc#security#open-source

Related Articles