Mini Shai-Hulud npm and PyPI Worm: How TeamPCP Hijacked TanStack, AntV, and OIDC Trusted Publishing in May 2026 (Developer Defense Guide)

Disclaimer: This article is for educational and defensive cybersecurity purposes. The tactics described come from public threat intelligence reports published by npm Inc., GitHub, Snyk, Akamai, Microsoft, Socket, Tenable, and CISA between May 11 and May 28, 2026. If you maintain or publish open-source packages, treat the mitigations below as guidance — validate them against your own threat model and follow your organization's incident response policy. Affected maintainers should consult official advisories from npm Inc. and PyPI first.

On May 11, 2026, a wave of malicious package versions appeared across the @tanstack/* namespace on npm. Within six minutes, attackers published 84 malicious artifacts across 42 packages, including @tanstack/react-router — a routing library with more than 12 million weekly downloads. Eight days later, on May 19, a second burst hit the @antv/* data-visualization ecosystem and adjacent packages such as echarts-for-react (around 1.1M weekly downloads), publishing more than 300 malicious versions across 323 packages in a 22-minute automated window. By the time researchers stopped counting, the worm had touched npm, PyPI, OpenSearch, Mistral AI client libraries, UiPath-related packages, and pieces of the SAP ecosystem.

The threat actor calls this campaign Mini Shai-Hulud. It is the second "Mini" wave in two weeks and the fifth Shai-Hulud variant in eight months. Unlike the original Shai-Hulud, this version is structurally different: it abuses OIDC trusted publishing — the very mechanism the open-source ecosystem promoted to move away from long-lived publish tokens. The TanStack maintainers had two-factor authentication on every account, signed provenance attestations on every release, and short-lived OIDC tokens replacing static credentials. They still got compromised.

I want to walk through what actually happened, why the "best-practice" defense playbook failed against this attack, and what I changed in my own pipelines after spending a weekend auditing every CI workflow across the seven aggregator sites we run alongside the client work at Warung Digital Teknologi.

The Short Version of What Mini Shai-Hulud Is

Mini Shai-Hulud is a self-replicating npm and PyPI worm built to steal secrets from developer machines and CI/CD runners, then use those credentials to publish itself into the next set of packages. It is attributed to a threat actor that goes by TeamPCP — the same group named in the Trivy supply chain breach in March 2026.

The mechanics, summarised from the Akamai, Snyk, Endor Labs, and Socket post-incident write-ups:

• Entry point. A compromised maintainer account or, in the TanStack case, an orphaned commit in a CI workflow that still had OIDC trust federation configured with npm.
• Privilege escalation. The attacker extracts an OIDC token from the GitHub Actions runner process and exchanges it for authenticated publish access across the entire namespace.
• Persistence. Malicious preinstall, postinstall, and prepare lifecycle scripts in newly published versions execute on any developer or CI machine that runs npm install without --ignore-scripts.
• Propagation. The lifecycle scripts scan the host for npm tokens, GitHub PATs, AWS keys, .env files, and SSH keys, exfiltrate them, then attempt to publish poisoned versions of any packages the harvested credentials can write to.
• Pacing. Bursts are automated. TanStack saw 84 versions in 6 minutes. AntV saw 300+ versions in 22 minutes. By the time a human notices, the damage radius has already snowballed.

The Verizon 2026 Data Breach Investigations Report noted that vulnerability exploitation has overtaken credential theft as the top breach vector this year, with confirmed breach counts nearly doubling year-over-year (Verizon, May 2026). Mini Shai-Hulud is a textbook example of why: the attack does not need to phish a single maintainer. It rides on transitive dependencies that millions of pipelines pull automatically.

Why "Did Everything Right" Was Not Enough

The TanStack compromise hurts to read because the maintainers followed the playbook every security blog (including this one) has been telling open-source projects to follow since 2023:

• 2FA enforced on every maintainer account.
• No long-lived npm publish tokens.
• OIDC trusted publishing wired up between GitHub Actions and npm.
• Signed provenance attestations on every release.

The attacker did not bypass any of those controls directly. They found an old branch with a workflow_dispatch trigger and a CI job that still trusted the npm OIDC federation. From that workflow, they extracted the runtime OIDC token, traded it for a publish-scoped npm credential, and published from inside a "legitimate" pipeline. The provenance attestation that npm displays to consumers also looked valid, because it was generated by a real GitHub Actions runner.

The takeaway I keep coming back to: OIDC trusted publishing is only as trustworthy as the workflow file and branch it is scoped to. Scope it to refs/heads/main and a specific workflow filename, or you have effectively replaced one credential with another that lives in your git history forever.

What I Found When I Audited My Own Pipelines

After reading the Snyk and Akamai post-mortems on May 20, I spent a Saturday morning auditing every CI workflow across our seven aggregator sites — softwarepeeks, aicraftguide, hirevane, cybershieldtips, quickexam, wardigi.com, and the horoscope site we run on a separate stack. I also audited two client codebases I am currently active on: a Smart POS for a retail client and a Helpdesk Ticketing system rebuild.

Across those nine projects, here is what I found, with the numbers from the actual audit:

• 4 of 9 repos still ran npm install in CI without --ignore-scripts. Three of those were our internal Vue.js + Next.js stacks. One was a client Laravel project that bundled a small React widget.
• 2 of 9 repos had orphaned workflow_dispatch entries in GitHub Actions that referenced OIDC trust with a third-party registry. Both were from 2024 experiments I had forgotten about.
• 1 of 9 repos stored an npm automation token as a long-lived NPM_TOKEN secret. It had not been rotated since 2025.
• Zero of 9 repos pinned dependencies to exact versions only — most used caret ranges, which is the normal default and exactly the behaviour Mini Shai-Hulud abuses to ship a poisoned 1.2.3-evil version to anyone running npm update.

None of those findings are exotic. They are the boring, easy-to-skip controls that get deferred because "the audit will catch them later." The audit caught them. The attackers would have caught them first.

The 9-Step Mini Shai-Hulud Defense Plan

This list is a synthesis of public guidance from Snyk, Endor Labs, Akamai, Socket, Tenable, and the Microsoft Defender threat intelligence team — combined with what actually moved the needle in our pipelines. Pick the ones that fit your stack and your risk tolerance.

1. Run npm ci --ignore-scripts in CI by default

This is the single highest-impact control available today. The preinstall, postinstall, and prepare hooks are the delivery mechanism for every Shai-Hulud variant documented so far. --ignore-scripts blocks them at install time. Yes, this will break a handful of packages that genuinely need post-install steps (native modules, some build tools). Document them, install them with scripts enabled in a separate isolated step, and keep everything else clean.

2. Pin direct and transitive dependencies

Use package-lock.json (or pnpm/yarn equivalents) committed and unchanged across CI runs. npm ci respects the lockfile and refuses to install anything outside it. For PyPI, pin in requirements.txt with exact versions and hash digests using pip-compile --generate-hashes. Mini Shai-Hulud cannot ship a poisoned version into a build that refuses to install anything but the SHA you already trust.

3. Scope npm OIDC trusted publishing to one workflow file on one branch

Configure the npm trusted-publisher entry to require refs/heads/main and a specific workflow filename — for example .github/workflows/publish.yml. Without this, an attacker who finds an orphaned branch with an OIDC-enabled job can publish on your behalf. Delete every other workflow that requests id-token: write permissions unless it absolutely needs them.

4. Delete unused branches and workflow files

The TanStack compromise traced back to an orphaned branch nobody had touched in months. git branch -r --no-merged main shows everything that has not been merged. Audit it. Delete what is dead. Make protected branches the only ones that can publish.

5. Rotate every long-lived token, then stop creating new ones

If you still have NPM_TOKEN, PYPI_API_TOKEN, or equivalent static credentials in your secret store, rotate them now. Then replace them with OIDC trusted publishing (scoped per step 3). On November 5, 2025, npm Inc. invalidated all granular access tokens older than a certain threshold in response to earlier Shai-Hulud activity — if you were depending on those, you already had to migrate. Use that forced migration as the opportunity to remove static publish credentials entirely.

6. Subscribe to a software composition analysis (SCA) feed

Snyk, Socket, Sonatype, GitHub Dependabot, and Endor Labs all published indicators of compromise (IoCs) for Mini Shai-Hulud within hours of the May 11 wave. A free GitHub Advanced Security or Dependabot alert on your repo is the minimum table stakes; it caught Mini Shai-Hulud IoCs in my projects before I had finished my coffee. For client work I bill, I added a Socket free-tier project for early warning.

7. Isolate your developer machine from your publish credentials

If your laptop has an npm session that can publish to a public package your users depend on, your laptop is now production infrastructure. Treat it like one. Don't run untrusted code on it. Don't npm install random repos to "just take a look." On the boxes I use for client work, I keep one user profile with no publish credentials at all and one separate profile that only logs in when I'm cutting a release.

8. Monitor for unexpected version bumps in your namespace

If you own a scope on npm or PyPI, set up a webhook or a polling job that emails you the moment a new version is published. The AntV maintainers learned about the May 19 compromise from third-party security researchers, not from npm. Twenty-two minutes is a long time when 300 versions get published. Be the first to notice.

9. Plan your incident response before you need it

Write down — today — the answer to: If a poisoned version of one of my packages ships under my name, who do I call, what gets revoked, and how do I notify users? The maintainers who responded fastest in May had a contact at npm Inc. security, a documented token revocation procedure, and a pinned tweet-or-equivalent template ready to ship. The ones who responded slowest were the ones figuring it out at 2 a.m.

What This Means If You Don't Maintain Open-Source Packages

You can be a consumer-only npm or PyPI user and still get hit by Mini Shai-Hulud. The worm runs in your CI runner the moment your build pulls a poisoned dependency. That is true for every Vue.js, React, Next.js, Astro, Vite, or Python data project that runs npm install or pip install in CI.

The non-maintainer defense is shorter:

• Pin dependencies and use lockfiles. Run npm ci, not npm install, in CI.
• Use --ignore-scripts in CI by default. Add it to a project-level .npmrc if you can.
• Audit transitive dependencies. npm ls @tanstack/react-router and pip show are five-second checks.
• Keep CI runner credentials minimal. If your test job has access to your production database, your test job is a target.

I'd recommend treating the next 60 days as elevated-risk territory. TeamPCP has shipped five Shai-Hulud variants in eight months. The next one will likely target an ecosystem nobody is watching closely — and trusted publishing remains a young technology that researchers are still finding edge cases in.

Authoritative Sources and Where to Track This

If you want to keep up with Mini Shai-Hulud activity beyond this article, the following sources have been first-to-publish on most of the May 2026 waves:

• CISA Known Exploited Vulnerabilities catalog — the authoritative US government list of actively exploited CVEs. (cisa.gov/known-exploited-vulnerabilities-catalog)
• npm Inc. security advisories — published in the npmjs.com blog and through GitHub Security Advisories.
• NIST National Vulnerability Database (NVD) — tracks the CVE assigned to this campaign (CVE-2026-45321, per Tenable's FAQ). (nvd.nist.gov)
• Snyk, Socket, Akamai, Endor Labs, and Microsoft Defender threat intelligence blogs — first-party research from the teams who reverse-engineered the worm.

Final Word from the Author

Across eleven years of building production systems for clients — from hotel management suites to mining operations dashboards to the AI-assisted exam generator that powers QuickExam — the supply chain has gone from a once-a-year concern to a weekly one. Mini Shai-Hulud is not the last worm of 2026. It is the one that exposed how thin the OIDC trusted-publishing safety net actually is in real-world configurations.

Audit your CI today. --ignore-scripts is free. Lockfiles are free. Deleting orphaned branches is free. The only thing that costs money is doing it after the worm lands.

Stay safe — and patch early.

About the author: Fanny Engriana is the founder of Warung Digital Teknologi (wardigi.com) and a senior IT consultant with 11+ years shipping production systems for 30+ clients. She also operates seven aggregator sites including CyberShieldTips. Verifiable profile: LinkedIn.