A sophisticated malware campaign known as the Shai-Hulud worm has compromised 172 packages across npm and PyPI repositories, affecting millions of downloads and targeting developer credentials and AI coding tools. The attack, attributed to the TeamPCP threat group, began on May 11 when malicious versions were published across 42 TanStack npm packages, including the popular @tanstack/react-router which receives 12.7 million weekly downloads.

The attack exploited a chain of vulnerabilities in TanStack's GitHub Actions workflow. Attackers forked the TanStack router repository, then used a pull request to trigger a workflow that executed malicious code on TanStack's build infrastructure. The malware poisoned the GitHub Actions cache, and when legitimate maintainers later merged code, the compromised cache was restored, allowing the attackers to extract publishing tokens and upload malicious packages to the npm registry.

The worm harvests credentials from over 100 file paths on infected systems, including AWS keys, SSH private keys, npm tokens, GitHub personal access tokens, and cryptocurrency wallets. For the first time in this campaign series, it specifically targets password managers including 1Password and Bitwarden. The malware also steals AI agent configurations from Claude and Kiro, including authentication tokens for external services.

A particularly concerning aspect of the attack is its persistence mechanisms. The worm installs itself in project directories rather than node_modules, creating hooks in Claude Code settings and VS Code task configurations that re-execute the malware whenever projects are opened. It also establishes system-level persistence through macOS LaunchAgents or Linux systemd daemons that survive system reboots. Removing the original malicious package does not eliminate these persistent components.

The campaign expanded rapidly from npm to PyPI repositories, with the compromised mistralai Python package version 2.4.6 executing malicious code during import rather than installation. This cross-platform expansion affected additional packages including UiPath, OpenSearch, and Guardrails AI. The worm includes destructive capabilities, with analysis showing it will wipe user directories if stolen tokens are revoked before the infected machine is isolated.

All malicious packages carried valid SLSA Build Level 3 provenance attestations, demonstrating that current supply chain security measures focused on build provenance may be insufficient against sophisticated attacks. Security researchers emphasize that provenance verification confirms where a package was built but not whether the build was authorized, highlighting gaps in current security frameworks for software distribution.