Alert: Shai-Hulud Worm 2026 – Supply Chain Attack Breaks Provenance

Provenance Is Not Authorization: The Shai-Hulud Worm Exposes the Fatal Gap in Software Supply Chain Security

The Mini Shai-Hulud worm is not just another supply chain attack. It is the first widely reported malware to publish packages with valid SLSA Build Level 3 provenance attestations. Between May 11 and May 12, 2026, the worm compromised 172 npm and PyPI packages across 403 malicious versions, affecting an estimated 518 million cumulative downloads. The attack chain exploited a gap that the security industry has largely ignored: OIDC scope configuration, not signing, is the actual control that matters.

“TanStack had the right setup on paper: OIDC trusted publishing, signed provenance, 2FA on every maintainer account. The attack worked anyway,” said Peyton Kennedy, senior security researcher at Endor Labs. The worm’s ability to bypass these controls signals a structural shift in how supply chain attacks will be executed going forward. For executives, the implication is stark: your current security investments in provenance and signing are necessary but not sufficient.

The Attack Chain: How a Forked PR Became a Signed Worm

On May 10, the attacker forked TanStack/router under the name zblgg/configuration. A pull request triggered a pull_request_target workflow that checked out fork code and ran a build, giving the attacker code execution on TanStack’s runner. The attacker poisoned the GitHub Actions cache. When a legitimate maintainer merged to main, the release workflow restored the poisoned cache. Attacker binaries read /proc/pid/mem, extracted the OIDC token, and POSTed directly to registry.npmjs.org. Tests failed. Publish was skipped. 84 signed packages still reached the registry.

“Each vulnerability bridges the trust boundary the others assumed,” the TanStack postmortem states. The worm then spread to PyPI within hours, targeting Mistral AI’s SDK and other high-value packages. Microsoft Threat Intelligence confirmed that the mistralai PyPI package v2.4.6 executes on import, not install, downloading a payload disguised as Hugging Face Transformers.

Why This Attack Is Different: AI Agents as Trusted Execution Environments

The worm’s payload is notable for its targeting of AI coding agents. It writes persistence into .claude/ and .vscode/ directories, hooking Claude Code’s SessionStart config and VS Code’s folder-open task runner. This means the worm re-executes every time a developer opens a project, even after the npm package is removed. “The attacker treated the AI coding agent as part of the trusted execution environment, which it is,” Kennedy said.

This is an early but confirmed instance of supply-chain malware treating AI agent configurations as high-value credential targets. The worm harvests Claude and Kiro MCP server configurations, which store API keys and auth tokens for external services. For enterprises deploying AI coding assistants, this creates a new attack surface that traditional security tools do not cover.

Winners and Losers

Winners: Security vendors like Socket, Wiz, and StepSecurity, whose behavioral analysis tools flagged the malicious packages within minutes. Their visibility and credibility have surged, driving demand for runtime detection over static provenance checks. Microsoft Threat Intelligence also gains from demonstrating advanced threat hunting capabilities.

Losers: TanStack suffers brand and trust damage as their packages were the initial vector. Affected downstream users, including UiPath, OpenSearch, and Guardrails AI, face credential theft, potential data loss, and cleanup costs. npm and PyPI registries are exposed as lacking real-time verification of provenance attestations against actual build events.

Second-Order Effects: The Open-Sourcing of the Worm

Late on May 12, vx-underground reported that the fully weaponized Shai-Hulud worm code has been open-sourced. If confirmed, this means the attack is no longer limited to TeamPCP. Any threat actor can now deploy the same cache-poisoning, OIDC-extraction, and provenance-attested publishing chain against any npm or PyPI package with a misconfigured CI/CD pipeline. The barrier to entry for sophisticated supply chain attacks just dropped to zero.

This will likely trigger a wave of copycat attacks targeting other ecosystems, including RubyGems, Go modules, and Maven. The security industry must respond by shifting focus from provenance verification to behavioral analysis and CI/CD pipeline hardening.

Market and Industry Impact

Package registries will likely mandate hardware-backed signing, short-lived tokens, and real-time provenance attestation verification. Supply chain security moves from optional to mandatory, with increased regulation and insurance requirements. Companies will need to audit every GitHub Actions workflow against the six gaps identified in the CI/CD Trust-Chain Audit Grid. The cost of compliance will rise, but the cost of non-compliance is now catastrophic.

Executive Action: What to Do Now

• Today: Run the detection commands: find . -name 'router_init.js' -size +1M and grep -r '79ac49eedf774dd4b0cfa308722bc463cfe5885c' package-lock.json. If either returns a hit, isolate and image the machine immediately. Do not revoke tokens until the host is forensically preserved.
• This week: Rotate every credential accessible from affected hosts. Check your packages for unexpected versions after May 11 with commits by claude@users.noreply.github.com. Block filev2.getsession.org and git-tanstack.com.
• This month: Audit every GitHub Actions workflow against the six gaps. Pin OIDC publishing to specific workflows on protected branches. Isolate cache keys per trust boundary. Set npm config set min-release-age=7d.
• This quarter: Fund behavioral analysis at the package registry layer. Require CI/CD security audits as part of vendor risk assessments. Treat AI coding agent configurations as credential stores subject to the same access controls as cloud key vaults.

Source: VentureBeat