On May 11, 2026, threat group TeamPCP launched the most devastating npm supply chain attack recorded this year. By hijacking GitHub Actions runners mid-workflow, the attackers published 401 malicious package versions across 170+ npm and PyPI packages — including TanStack (12.7 million weekly downloads), Mistral AI, UiPath, Guardrails AI, and the OpenSearch JavaScript client. The self-propagating worm, dubbed Mini Shai-Hulud, stole CI/CD credentials, cloud tokens, and cryptocurrency wallet keys before any maintainer noticed.

How TeamPCP Hijacked Trusted Pipelines

Unlike traditional typosquatting or dependency confusion attacks, TeamPCP exploited a fundamental trust assumption in modern CI/CD: that code published through a project's own release pipeline is safe. The attackers targeted repositories using the pull_request_target GitHub Actions trigger, which runs workflow code in the context of the base branch with full write permissions. By submitting a crafted pull request to TanStack's router repository from the compromised GitHub account voicproducoes, the attacker injected code that executed during the CI build.

Once inside the runner, the payload performed GitHub Actions cache poisoning and extracted OIDC tokens directly from the runner process memory. These tokens — normally used for secure, keyless publishing — gave TeamPCP the ability to push packages to npm under TanStack's legitimate identity. Between 19:20 and 19:26 UTC on May 11, 84 malicious artifacts landed in the @tanstack namespace. Because the packages carried valid SLSA provenance attestations, automated verification tools flagged nothing unusual. This marks the first documented case of a malicious npm package carrying valid SLSA provenance.

The Credential Stealer: A 2.3 MB Destructive Payload

Each compromised package contained an obfuscated 2.3 MB JavaScript file that, once deobfuscated, revealed a multi-stage credential stealer with persistence, exfiltration, and self-destruction capabilities. The malware profiled the execution environment and then systematically harvested tokens and secrets from AWS, Azure, and GCP credential stores, cryptocurrency wallets including MetaMask and Phantom, password managers such as 1Password and Bitwarden, messaging applications, and CI/CD environment variables containing GitHub, GitLab, and npm tokens.

On developer machines, the stealer installed a persistent gh-token-monitor daemon that polled GitHub every 60 seconds. If it detected token revocation (a 40X HTTP error), the daemon attempted to execute rm -rf ~/. — a destructive wipe of the user's home directory. The daemon self-terminated after 24 hours, but the damage window was more than sufficient. Stolen tokens were exfiltrated to attacker infrastructure and immediately used to propagate the worm to additional package repositories, creating a cascading chain of compromise across Mistral AI's PyPI packages, 65 UiPath packages, and dozens of other ecosystems within hours.

Scale of Compromise: 518 Million Cumulative Downloads at Risk

According to OX Security's analysis, the incident affected over 170 packages spanning both npm and PyPI, with a combined 518 million cumulative downloads. TanStack's React Router alone accounts for 12.7 million weekly downloads, meaning thousands of CI/CD pipelines, production builds, and developer environments ingested compromised code before the attack was detected. Orca Security, Socket, Snyk, and Wiz all published independent analyses confirming the scope. The attack was contained within approximately five hours after StepSecurity's Harden-Runner detected anomalous outbound network calls from GitHub Actions runners and alerted TanStack maintainers.

Impact on Saudi Financial Institutions

Saudi banks, fintechs, and insurance companies running JavaScript or Python applications face direct exposure. SAMA's Cyber Security Common Controls (CSCC) mandate software supply chain integrity under Domain 3 (Technology Operations and Communications Management), requiring institutions to maintain inventories of third-party components and validate their integrity before deployment. The NCA Essential Cybersecurity Controls (ECC) reinforce this through controls on secure software development and third-party risk management.

The Mini Shai-Hulud attack specifically exploits the trust chain that many Saudi financial institutions rely on: automated CI/CD pipelines pulling packages from public registries. If any production or staging environment installed a compromised version of @tanstack/react-router, @tanstack/query, or any of the 170+ affected packages between May 11 and May 12, that environment must be treated as compromised. Credentials stored in environment variables, cloud provider tokens, and service account keys should be rotated immediately. Under PDPL (Personal Data Protection Law), if the stolen credentials provided access to customer data, the institution faces mandatory breach notification obligations.

Recommendations and Immediate Actions

  1. Audit your lockfiles now. Check package-lock.json and yarn.lock for any @tanstack, @uipath, @mistralai, or opensearch-js packages published between May 10–12, 2026. Pin to known-good versions and regenerate lockfiles from trusted sources.
  2. Rotate all CI/CD secrets. Any GitHub token, npm token, AWS/Azure/GCP credential, or API key present in a CI runner that executed a build with compromised dependencies must be revoked and reissued. Do not wait — TeamPCP's worm weaponizes stolen tokens within minutes.
  3. Deploy runtime monitoring on GitHub Actions. Tools like StepSecurity Harden-Runner detect anomalous outbound network connections from CI runners. This is what caught Mini Shai-Hulud. Mandate this for all repositories publishing packages or deploying to production.
  4. Enforce package provenance verification beyond SLSA. SLSA provenance alone was insufficient here because the attacker published through the legitimate pipeline. Supplement with reproducible builds, binary transparency logs, and multi-party approval for package publishing.
  5. Restrict pull_request_target usage. Audit all GitHub Actions workflows for pull_request_target triggers, which grant write permissions to fork-submitted code. Replace with pull_request where possible, and add explicit checkout restrictions where it is necessary.
  6. Implement Software Bill of Materials (SBOM). SAMA CSCC and NCA ECC both emphasize third-party component tracking. Generate SBOMs for every release and cross-reference against vulnerability databases and compromise advisories in real time.
  7. Review PDPL notification obligations. If compromised credentials had access to personal data of Saudi residents, consult legal counsel on whether breach notification to SDAIA is required under the Personal Data Protection Law.

Conclusion

The Mini Shai-Hulud campaign demonstrates that software supply chain attacks have evolved beyond simple package takeovers. TeamPCP exploited the very mechanisms designed to ensure trust — OIDC tokens, SLSA provenance, and automated release pipelines — turning them into attack vectors. For Saudi financial institutions, this is a direct challenge to SAMA CSCC and NCA ECC compliance: if your CI/CD pipeline blindly trusts public registries, your software integrity controls have a gap that threat actors are actively exploiting.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a full review of your software supply chain security posture.