Breaking: 172 Poisoned Packages Spread Worm That Steals Credentials and Persists After Removal
Every development environment that installed or imported one of the 172 compromised npm or PyPI packages published since May 11 should be considered fully compromised, security researchers warn. On affected systems, the Mini Shai-Hulud worm harvests credentials from over 100 file paths — including AWS keys, SSH private keys, npm tokens, GitHub PATs, and HashiCorp Vault tokens — and for the first time in a TeamPCP campaign, it targets password managers like 1Password and Bitwarden, according to SecurityWeek. The worm also steals AI agent configurations for Claude and Kiro, including MCP server auth tokens for every external service an agent connects to.
Critically, removing the malicious npm or PyPI package does not remove the worm. It installs persistence mechanisms in Claude Code (.claude/settings.json) and VS Code (.vscode/tasks.json with runOn: folderOpen) that re-execute every time a project opens, plus a system daemon (macOS LaunchAgent or Linux systemd) that survives reboots. These payloads live in the project tree, not in node_modules, making them invisible to standard package removal. On CI runners, the worm reads runner process memory directly via /proc/pid/mem to extract secrets, including masked ones, on Linux-based runners. If you revoke tokens before isolating the machine, Wiz’s analysis found a destructive daemon wipes your home directory.
Background: How a Valid Provenance Was Poisoned
Between 19:20 and 19:26 UTC on May 11, the Mini Shai-Hulud worm published 84 malicious versions across 42 @tanstack/* npm packages. Within 48 hours, the campaign expanded to 172 packages across 403 malicious versions spanning npm and PyPI, according to Mend’s tracking. @tanstack/react-router alone receives 12.7 million weekly downloads. The vulnerability is tracked as CVE-2026-45321 with a CVSS score of 9.6. OX Security reported 518 million cumulative downloads affected.
Every malicious version carried a valid SLSA Build Level 3 provenance attestation. The provenance was real — the build pipeline was working as designed. But the packages were poisoned because the attacker exploited an OIDC scope misconfiguration, not a code integrity failure. “TanStack had the right setup on paper: OIDC trusted publishing, signed provenance, 2FA on every maintainer account. The attack worked anyway,” said Peyton Kennedy, senior security researcher at Endor Labs, in an exclusive interview with VentureBeat. “What the orphaned commit technique shows is that OIDC scope is the actual control that matters here, not provenance, not 2FA. If your publish pipeline trusts the entire repository rather than a specific workflow on a specific branch, a commit with no parent history and no branch association is enough to get a valid publish token. That’s a one-line configuration fix.”
TanStack’s postmortem lays out the kill chain. On May 10, the attacker forked TanStack/router under the name zblgg/configuration, chosen to avoid fork-list searches per Snyk’s analysis. A pull request triggered a pull_request_target workflow that checked out fork code and ran a build, giving the attacker code execution on TanStack’s runner. The attacker then poisoned the GitHub Actions cache to inject malicious code into the next build, which produced validly signed packages. Three vulnerabilities chained into one provenance-attested worm.
What This Means for Enterprises
This attack demonstrates that current supply chain security tools are insufficient. “You can have perfect provenance, 2FA, and signed commits, and still be compromised if your OIDC trust boundary is too wide,” Kennedy added. “The real lesson is to scope OIDC permissions to the narrowest workflow and branch, and to treat any pull request from a forked repository as untrusted code, even if it passes provenance checks.”
Immediate action steps for organizations include: revoking all tokens and secrets from affected development machines, isolating those machines from production networks, and inspecting any CI runner that processed builds from the compromised packages. Additionally, security teams should audit their OIDC configurations to ensure trusted publishing tokens are scoped to specific workflows and branches, not the entire repository. The worm’s ability to steal AI agent configurations also raises the stakes for organizations using agent-based tooling in development.
As of press time, the malicious packages have been removed from npm and PyPI, but existing infections remain active. Researchers urge all developers to check their environments using the indicators of compromise published by Mend and OX Security. The incident underscores a paradigm shift: supply chain security is no longer just about code signing — it is about controlling every link in the automation chain from fork to publish.