"Mini Shai-Hulud" Supply Chain Worm Compromises TanStack, Mistral AI, and 170+ npm/PyPI Packages (CVE-2026-45321)

Scope: npm (@tanstack, @mistralai, @uipath, @squawk, and others) / PyPI (mistralai, guardrails-ai)

Severity: Red

On May 11, 2026, TeamPCP launched the most sophisticated wave yet of their self-propagating "Mini Shai-Hulud" supply chain worm, compromising over 170 packages across npm and PyPI — including TanStack (@tanstack/react-router with 12+ million weekly downloads), Mistral AI, Guardrails AI, UiPath, OpenSearch, Bitwarden CLI, and SAP packages — by hijacking legitimate CI/CD OIDC tokens through a GitHub Actions pull_request_target cache poisoning technique, producing the first ever malicious npm packages carrying valid SLSA Build Level 3 cryptographic provenance attestations, making them indistinguishable from legitimate releases. The embedded credential-stealing malware harvests GitHub tokens, npm tokens, AWS credentials, Kubernetes secrets, SSH keys, .env files, and AI tool secrets, exfiltrating via the Session P2P network, while also establishing persistence through Claude Code hooks and VS Code auto-run tasks, with a destructive routine capable of wiping systems. Any developer or CI environment that installed affected packages on May 11, 2026 should be treated as compromised — rotate all credentials immediately, enforce lockfile-only installs, check for persistence files router_runtime.js and setup.mjs, and block C2 domains api.masscan.cloud, git-tanstack.com, and *.getsession.org.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.