At some point on Tuesday morning, an npm account called atool published a new version of echarts-for-react, a React wrapper for Apache ECharts that pulls roughly 1.1 million weekly downloads. The version did not contain a charting fix. It contained a 498KB obfuscated Bun bundle whose first job was to scan the machine that installed it for AWS keys, GitHub tokens, npm publish credentials, and the contents of every .env file it could find.
Twenty minutes later, the same worm had published 637 malicious versions across 317 packages under the same maintainer's name, including @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, @antv/g2plot, @antv/graphin, and @antv/data-set. SafeDep, which tracks open-source supply chain attacks in real time, called it the largest single-account compromise in the campaign so far.
This is the second documented Mini Shai-Hulud wave in eight days. The first one hit on May 11, breached TanStack, infected packages from Mistral AI and Guardrails AI, and reached two laptops inside OpenAI's corporate network. The attackers, a group tracked as TeamPCP, are the same crew that poisoned PyTorch Lightning on PyPI two weeks earlier. They have now shown they are not done.
If you ship code that pulls from npm, this is not a story to skim. The worm is self-replicating, the registry is the delivery vehicle, and the payload reaches every device that runs npm install.
What Mini Shai-Hulud Actually Does
Mini Shai-Hulud is a worm, which is the operative word. It does not just poison one package and wait. It uses the credentials it steals to log into other packages the victim has write access to, then publishes poisoned versions of those too.
Wiz, Snyk, Endor Labs, and SafeDep have now each published independent reverse-engineering reports on the payload. The core behavior is consistent across waves.
The malware ships as a single-line, 498KB obfuscated Bun bundle sitting in the package's index.js. When a developer or CI runner installs the package, the bundle scans for high-value secrets, including npm tokens, GitHub Actions OIDC tokens, AWS credentials, Kubernetes secrets, SSH keys, password manager files, and dotenv files. It bundles those into chunks, with a 100KB flush threshold to avoid one giant suspicious request, and exfiltrates them to attacker infrastructure.
On developer machines, the payload installs a persistent daemon called gh-token-monitor. The daemon polls GitHub every 60 seconds to check whether the stolen tokens still work. If GitHub returns a 40X error, meaning the token has been revoked, the daemon attempts to run rm -rf ~/, wiping the user's home directory in retaliation. The destructive handler self-disables after 24 hours, but only on machines where the daemon stays online that long.
This is the layered piece of the design that worries practitioners most. The malicious package can spread even if the developer never notices it is installed, and the wiping handler is timed to fire while the team is still figuring out what happened.
| What the worm steals | Why it matters |
|---|---|
| npm publish tokens | Lets the worm push poisoned versions to every package the victim maintains |
| GitHub Actions OIDC tokens | Lets the worm trigger production CI workflows under the victim's identity |
| AWS credentials | Direct access to cloud infrastructure |
| Kubernetes secrets | Cluster-level access including service account keys |
| SSH keys | Lateral movement into internal servers |
| Password manager files and .env | Application secrets, API keys, database URLs |
How It Unfolded
The campaign began publicly eight days ago and has accelerated since.
The pattern across waves is the same. Compromise a maintainer with broad publishing rights, push a coordinated burst of malicious versions inside a few minutes, and let the worm find its next victim from inside developer machines and CI runners.
Why This One Hurts AI Teams Specifically
Most supply chain attacks have a general developer-tooling target. Mini Shai-Hulud has a precise one. The packages it has hit so far are not random.
The TanStack ecosystem is one of the most-installed React stacks on the planet. @tanstack/react-router alone has roughly 12 million weekly downloads, and @tanstack/react-query underpins most modern data-fetching code in production React applications. Many AI startup dashboards, observability tools, and model-serving frontends ship some piece of TanStack.
@antv and echarts-for-react are the de facto charting stacks for data-science web apps. Most ML model demos, experiment dashboards, and BI tools written in React pull at least one of them.
Mistral AI's official npm SDK was poisoned in the first wave. Guardrails AI, an LLM safety toolkit used in production by many enterprises, was also affected. The attack ladder is deliberate. Hit the libraries that AI teams install most often, then steal the credentials those teams keep close to the model layer.
OpenAI's disclosure makes the point bluntly. The company confirmed that the worm reached two employee corporate devices, that credential material was exfiltrated from internal source code repositories, and that it had to revoke and re-sign every iOS, macOS, Windows, and Android code-signing certificate in those repos. The Record reported on May 14 that OpenAI also asked macOS users to update affected apps after the breach, since the original code-signing trust chain was now considered tainted.
OpenAI said it found "no evidence that user data was accessed, that production systems or intellectual property were compromised, or that software was altered." That is the right thing to say, and probably true. But the fact that a frontier AI lab had to publish a corporate-device breach notice tied to an npm package is the headline that should not get lost.
If a worm can hop from an npm registry into OpenAI, it can hop into any AI team's CI runner.
What To Do Before the Next Wave
The attackers are still operating. StepSecurity, Wiz, Snyk, Endor Labs, and SafeDep have all advised the same set of immediate steps for any team that ships JavaScript or Python from a public registry.
If you have run
npm install against an unpinned @tanstack/*, @antv/*, echarts-for-react, @mistralai/*, or @guardrails/* package since May 11, treat any machine that ran the install as compromised until proven otherwise.
The remediation checklist most teams are working off this week:
- Pin every dependency. Remove caret and tilde ranges from
package.jsonfor high-blast-radius libraries. Use exact versions and lockfiles. - Rotate every credential the worm targets. That means npm publish tokens, GitHub Actions OIDC tokens, AWS access keys, Kubernetes service account tokens, SSH keys, and any application secrets stored in
.env. - Audit GitHub Actions workflows. The TanStack postmortem traced the original compromise to overly permissive CI configuration. Restrict
id-token: writeandpermissions:blocks to the minimum each job actually needs. - Block outbound traffic from CI runners to any host not on an explicit allow list. The worm exfiltrates secrets to external endpoints. CI runners almost never need open egress.
- Search developer machines for the persistent daemon. Look for a process named
gh-token-monitoror similar 60-second poller against the GitHub API from an unexpected binary. - Enable provenance and use registry scanners. Both npm provenance and tools like Socket, Snyk, and StepSecurity now flag the Mini Shai-Hulud payload signature. Block installs of versions published during the known attack windows.
If you cannot rule out exposure, the safe default is to assume credentials were stolen and rotate them.
The Other Side: This Was Predictable
Not every security researcher sees Mini Shai-Hulud as a novel threat. Several have argued the opposite, including some who track open-source supply chain attacks for a living.
The original Shai-Hulud worm hit npm in late 2025 and was extensively documented at the time. The Mini variant uses a similar exfiltration pattern, the same propagation model, and a recognizable Bun bundle structure. Researchers at Endor Labs and VentureBeat have pointed out that the registry itself still has no native rate-limit on burst publishing from a single maintainer account, which is the exact attack vector both campaigns rely on.
VentureBeat's coverage on May 14 was blunt. The article called the recent string of supply chain incidents "four AI supply-chain attacks in 50 days" and argued the real story is that release pipelines remain the soft underbelly of every AI stack. The pattern is broader than npm alone. In April, Vercel disclosed a breach traced back to an AI development tool's OAuth token. A week before this latest wave, Google's threat-intelligence team published the first confirmed AI-built zero-day caught in the wild. Provenance, signed packages, and 2FA on maintainer accounts can help, but only if registries enforce them at install time. None do yet.
The counterargument inside the Node.js community is that adding friction to npm publishing would slow legitimate maintainers down, and that the registry's openness is most of what makes the ecosystem work. That is the trade-off Mini Shai-Hulud is forcing into the open.
The Bottom Line
A worm that started life on May 11 has now infected hundreds of npm packages, breached two OpenAI corporate devices, forced re-signing of every major OpenAI client, and as of Tuesday morning, hijacked another maintainer to publish 637 malicious versions in 20 minutes. The campaign is still live.
The reason this story matters to AI engineers more than most: the worm is concentrated in exactly the packages AI teams install most. React data stacks. Charting libraries. LLM SDKs. The kinds of dependencies that quietly land in every model-serving frontend, every demo app, and every dashboard a customer ever sees.
Tanner Linsley's line about the attack, in his postmortem, is the one to remember: "the first documented npm worm in history that ships with a valid signed certificate of authenticity." The signature does not protect you anymore. It only proves the worm was inside the building when it shipped.
The next wave will come. The only useful question is whether the credentials it tries to steal from your machine are still valid when it gets there.
Sources
- Hackers have compromised dozens of popular open source packages in an ongoing supply chain attack — TechCrunch, May 19, 2026
- Mini Shai-Hulud Strikes Again: 317 npm Packages Compromised — SafeDep, May 19, 2026
- TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Hits the npm Ecosystem — StepSecurity, May 19, 2026
- Our response to the TanStack npm supply chain attack — OpenAI, May 14, 2026
- OpenAI says hackers stole some data after latest code security issue — TechCrunch, May 14, 2026
- OpenAI confirms security breach in TanStack supply chain attack — BleepingComputer, May 14, 2026
- Mini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised — Wiz, May 13, 2026
- TanStack npm Packages Hit by Mini Shai-Hulud — Snyk, May 13, 2026
- Shai-Hulud compromises the @tanstack ecosystem: 80+ packages compromised — Endor Labs, May 12, 2026
- Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages — The Hacker News, May 13, 2026
- Four AI supply-chain attacks in 50 days exposed the release pipeline red teams aren't covering — VentureBeat, May 14, 2026
- OpenAI asks macOS users to update after TanStack npm supply chain attack — The Record, May 14, 2026