mini Shai-Hulud
Mini Shai-Hulud is a self-propagating supply-chain malware family, primarily documented as an npm-propagating worm and credential stealer, and repeatedly linked in reporting to the threat actor TeamPCP. It has been used in multiple software supply-chain incidents affecting the JavaScript ecosystem and related developer tooling, including compromises involving SAP-related packages, TanStack, Mistral AI, UiPath, AntV-related packages, Red Hat Cloud Services packages, and the Python package durabletask. TeamPCP reportedly open-sourced the malware’s source code in May 2026, after which researchers noted copycat activity and derivative variants such as Miasma.
Across reported campaigns, Mini Shai-Hulud commonly executes automatically during package installation via npm preinstall hooks or related install-time mechanisms. In npm incidents, malicious payloads were embedded in files such as index.js, setup.mjs, router_init.js, or related loaders, often heavily obfuscated and sometimes using Bun to stage or execute secondary payloads. In the durabletask PyPI compromise, malicious versions 1.4.1, 1.4.2, and 1.4.3 contained a dropper that fetched a second-stage payload named rope.pyz from check.git-service[.]com. Reporting describes the malware as Linux-focused in at least some Python-stage deployments.
Its core capability is broad credential and secret theft from developer workstations, CI/CD runners, and cloud-connected environments. Reported targets include npm tokens and ~/.npmrc, PyPI credentials and ~/.pypirc, GitHub tokens and GitHub Actions secrets, AWS credentials, GCP credentials, Azure credentials, CircleCI tokens, HashiCorp Vault tokens, Kubernetes service account tokens and kubeconfig files, Docker credentials, SSH private keys, GPG material, .env files, password-manager data, VPN configurations, shell history, and other developer secrets. Some reporting states it can read GitHub Actions runner memory or /proc/{pid}/mem to recover masked environment variables and secrets.
A defining characteristic is worm-like propagation. The malware validates harvested npm tokens, enumerates packages the victim can publish, injects malicious code into those packages, bumps versions, and republishes them, including abuse of npm automation tokens with bypass_2fa: true. Reporting also describes propagation through GitHub repositories and workflows, creation of GitHub repositories containing encrypted stolen credentials, and use of GitHub APIs or commit messages as fallback exfiltration or command-and-control mechanisms. In cloud environments, some analyses state it can propagate to other AWS EC2 instances via SSM and through Kubernetes using kubectl exec.
Observed persistence and post-compromise behaviors include writing malicious VS Code .vscode/tasks.json entries with runOn set to folderOpen, adding Claude Code SessionStart hooks in ~/.claude/settings.json, and in some reports installing Linux or macOS persistence artifacts. Some analyses also describe anti-analysis or region-based execution logic, including exiting on Russian locale settings and a reported destructive branch affecting Israeli or Iranian system settings.
The malware family has been associated with numerous large-scale package compromises. Reported incidents include 84 compromised @tanstack package versions plus adjacent packages on 2026-05-11; 637 malicious versions across 317 npm packages in an AntV-related wave on 2026-05-19; and 32 @redhat-cloud-services packages with 96 malicious versions on 2026-06-01 in the Miasma campaign. Additional reporting states Mini Shai-Hulud spread through packages such as echarts-for-react, size-sensor, timeago.js, and many @antv packages, with some incidents affecting millions of downstream downloads.
High-confidence indicators mentioned in the content include filenames and artifacts such as index.js, setup.mjs, execution.js, router_init.js, router_runtime.js, tanstack_runner.js, rope.pyz, transformers.pyz, pgmonitor.py, malicious preinstall hooks executing node index.js, Git dependency @tanstack/setup pointing to github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c, domains and infrastructure including check.git-service[.]com, git-tanstack.com, filev2.getsession.org, api.masscan.cloud, and api.github.com used in campaign workflows, as well as campaign strings including "A Mini Shai-Hulud has Appeared" and Dune-themed references. Derivative campaigns such as Miasma replaced Dune theming with Greek mythology references while retaining the same credential-stealing and self-propagating design.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
TeamPCP ... has been linked to the compromise of the npm and PyPI packages ... as part of a fresh Mini Shai-Hulud campaign. The affected npm packages have been modified to include an obfuscated JavaScript file ("router_init.js") that's designed to profile the execution environment and launch a comprehensive credential stealer ... Another new behavior introduced in the obfuscated JavaScript malware is the installation of a dead-man's switch ... Should the developer revoke the token ... the script triggers a destructive routine that executes "rm -rf ~/" on the infected machine, essentially turning it into a wiper malware. | The TanStack supply chain compromise has been assigned the CVE identifier CVE-2026-45321. It carries a CVSS score of 9.6 out of a maximum of 10.0, indicating critical severity. The incident has impacted 42 packages and 84 versions across the TanStack ecosystem.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
News of the sale comes as TeamPCP's self-replicating malware campaign, known as Mini Shai-Hulud, continues to expand in reach with the compromise of durabletask, an official Microsoft Python client for the Durable Task workflow execution framework.
TanStack npm packages compromised: inside the Mini Shai-Hulud supply chain attack ... The TanStack attack is not an isolated incident. It is the latest wave in a series of npm supply chain attacks using the Shai-Hulud worm toolchain.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
5 techniquesAll packages were published using compromised GitHub Actions OIDC tokens from the RedHatInsights/javascript-clients repository.
The executed code scans for and attempts to exfiltrate the following: AWS, GCP, and Azure cloud credentials
TeamPCP, a threat actor behind a string of software supply chain attacks targeting open-source packages... GitHub said it detected and contained a compromise of an employee device involving a poisoned Microsoft Visual Studio Code extension.
TeamPCP, a threat actor behind a string of software supply chain attacks targeting open-source packages, listed GitHub's source code for sale.
TeamPCP's self-replicating malware campaign, known as Mini Shai-Hulud, continues to expand in reach with the compromise of durabletask, an official Microsoft Python client... Three malicious package versions have been identified: 1.4.1, 1.4.2, and 1.4.3.
Execution
5 techniquesit uses SendCommand with the AWS-RunShellScript document to execute the rope.pyz payload... and runs it in the background.
The malicious packages contain multi-stage credential harvester that execute automatically via preinstall hooks during npm install.
It appears the malware was added via npm preinstall hooks: Whenever a developer or build system ran "npm install" for an affected package, the malicious code was automatically executed.
The packages contained newly added installation-time execution mechanisms, including preinstall scripts that automatically invoked a malicious index.js file during package installation.
After enumerating SSM-managed instances, it uses SendCommand with the AWS-RunShellScript document to execute the rope.pyz payload on up to 5 other EC2 instances per profile.
Persistence
3 techniquesAll packages were published using compromised GitHub Actions OIDC tokens from the RedHatInsights/javascript-clients repository.
The executed code scans for and attempts to exfiltrate the following: AWS, GCP, and Azure cloud credentials
Privilege Escalation
4 techniquesAlso reading directly from the GitHub Actions Runner’s memory to find environment vars on the runner itself.
All packages were published using compromised GitHub Actions OIDC tokens from the RedHatInsights/javascript-clients repository.
The executed code scans for and attempts to exfiltrate the following: AWS, GCP, and Azure cloud credentials
Stealth
6 techniquesThe payloads consisted of unusually large, heavily obfuscated JavaScript files employing eval() and ROT-based decoding techniques to conceal their functionality.
Also reading directly from the GitHub Actions Runner’s memory to find environment vars on the runner itself.
All packages were published using compromised GitHub Actions OIDC tokens from the RedHatInsights/javascript-clients repository.
The executed code scans for and attempts to exfiltrate the following: AWS, GCP, and Azure cloud credentials
Credential Access
7 techniquesThe payload queries the GitHub Actions runtime API using ACTIONS_RUNTIME_TOKEN to enumerate variables flagged isSecret: true, then reads those values directly from /proc/{pid}/mem of the Runner.Worker process.
Initial access via a compromised token from previous attacks or a vulnerable GitHub Action
The payload targets secrets from GitHub Actions, AWS, GCP, Azure, Kubernetes, HashiCorp Vault, npm tokens, and CircleCI.
General .env files throughout the filesystem ... SSH ~/.ssh/id_rsa, ~/.ssh/id_ed25519, all private key files ... ~/.aws/credentials
Specifically, it's designed to activate a full-featured infostealer that's capable of harvesting credentials associated with major cloud providers
the 28KB Python stealer also attempts to read HashiCorp Vault KV secrets, unlock and dump 1Password and Bitwarden password vaults, and access SSH keys, Docker credentials, VPN configurations, and shell history.
The attacker compromised a GitHub account via a previous attack, dumped GitHub secrets from a repository to which the user had access, and from there had access to the PyPi token to publish directly.
Discovery
2 techniquesLateral Movement
3 techniquesIf it's inside Kubernetes, it propagates through kubectl exec... After enumerating SSM-managed instances, it uses SendCommand with the AWS-RunShellScript document to execute the rope.pyz payload on up to 5 other EC2 instances per profile.
After enumerating SSM-managed instances, it uses SendCommand with the AWS-RunShellScript document to execute the rope.pyz payload on up to 5 other EC2 instances per profile.
The propagation script downloads the payload from the primary C2, falling back to the secondary domain t.m-kosche[.]com, and runs it in the background.
Collection
1 techniquethe 28KB Python stealer also attempts to read HashiCorp Vault KV secrets, unlock and dump 1Password and Bitwarden password vaults, and access SSH keys, Docker credentials, VPN configurations, and shell history.
Command and Control
2 techniquesthe propagation script downloads the payload from the primary C2, falling back to the secondary domain t.m-kosche[.]com... Also notable is the use of the FIRESCALE mechanism to identify a backup command-and-control (C2) address in the event the primary domain is unreachable.
the preinstall script ... ran a bloated, heavily obfuscated index.js loader, which then pulled down and executed a payload designed to vacuum up secrets
Exfiltration
1 techniqueGitHub said... the activity involved exfiltration of GitHub-internal repositories only... it's designed to activate a full-featured infostealer... and exfiltrating the data to the attacker-controlled domain.
Impact
1 techniqueif it detects Israeli or Iranian system settings, there's a 1-in-6 chance it plays audio and then runs rm -rf /*.
IOCs tracked for this family
153 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
60 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An npm-propagating worm used in supply-chain incidents. It spreads by republishing accessible npm packages with a malicious preinstall payload and steals credentials and secrets from developer and CI/CD environments.
An open-sourced malware lineage/tooling basis for npm supply-chain compromises. In this content it is described as the structural predecessor of Miasma, sharing the same core architecture including obfuscation, Bun-executed payload staging, credential theft, GitHub Actions secret extraction, and worm-like propagation via stolen npm tokens.
A malware framework linked to broader 2026 supply-chain attacks affecting npm and other software ecosystems. In this content, Miasma is described as a variant of Mini Shai-Hulud and the campaign is linked to broader Mini Shai-Hulud supply-chain attacks.
A malicious npm supply-chain payload delivered via a preinstall hook that steals credentials and tokens from developer and build environments, including cloud keys, GitHub Actions tokens, Vault tokens, Kubernetes credentials, SSH keys, and package publishing tokens. It also attempts to use harvested npm tokens to publish backdoored packages with npm’s bypass_2fa parameter, making it self-propagating.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.