What started as a TanStack npm compromise on May 11 has expanded into one of the most consequential developer supply chain campaigns on record — and now, with the attacker group having open-sourced the worm and launched a BreachForums contest for copycat attacks, the threat has moved from a contained incident to a proliferation problem.
How the Campaign Unfolded
TeamPCP (also tracked as UNC6780) launched the first wave of Mini Shai-Hulud on May 11, exploiting a three-step GitHub Actions vulnerability chain to publish malicious versions of 42 @tanstack/* packages to npm under TanStack’s legitimate identity. The attack required no stolen npm credentials — instead, the attacker exploited a pull_request_target workflow misconfiguration to run attacker-controlled code inside a trusted Actions context, poisoned the build cache, and extracted OIDC tokens directly from the runner’s process memory to publish as TanStack.
CISA catalogued both the TanStack compromise (CVE-2026-45321, CVSS 9.6) and the subsequent Nx Console VS Code extension backdoor (CVE-2026-48027, CVSS 9.8) in its Known Exploited Vulnerabilities catalog on 27 May, with a June 10 remediation deadline. A third CVE for the DAEMON Tools Lite installer backdoor (CVE-2026-8398) was added the same day with an expedited deadline of 30 May.
By May 19, TeamPCP had pivoted to the @antv namespace — the JavaScript visualisation library family behind Apache ECharts — compromising 323 packages and 645 malicious artifacts reaching an estimated 16 million combined weekly downloads. The Nx Console VS Code extension (v18.95.0), published during an 18–36 minute window, then served as the vector for breaching GitHub’s internal development environment: approximately 3,800 internal repositories were exfiltrated between May 19 and 20.
Victim Profile Expansion
The confirmed victim list has grown significantly beyond the initial TanStack disclosure. OpenAI has confirmed that two employee developer devices were compromised in the May 11 TanStack wave, with credentials exfiltrated before the malicious packages were removed from the registry. Mistral AI confirmed one developer device was affected and disclosed an active extortion demand of $25,000 from TeamPCP. Grafana Labs also attributed a breach to the campaign. GitHub has begun notifying affected internal stakeholders.
The malware’s credential sweep targets 130 file paths, including SSH keys, AWS and Azure credentials, Kubernetes kubeconfigs, Vault tokens, npm publish tokens, GitHub tokens, browser keystores — and notably, Claude Code and VS Code configuration directories. The targeting of AI infrastructure credentials suggests TeamPCP assessed the AI sector as a high-value secondary pivot opportunity.
The Open-Source Escalation
The most significant development for defenders came on May 12, one day after the initial TanStack wave: TeamPCP published the full Shai-Hulud worm source code on GitHub under an MIT licence. The release included operational guidance for customising encryption keys and C2 infrastructure, explicitly framed as enabling others to run independent campaigns. Simultaneously, the group launched a $1,000 BreachForums contest for the largest supply chain attack executed using the code.
GitHub removed the repository, but the code had already been forked extensively and distributed across alternative platforms. The operational release transforms a targeted threat actor capability into open infrastructure — a pattern previously observed with leaked ransomware builders (Babuk, LockBit 3.0) that reliably produces secondary campaigns within weeks.
No standard CVE will be issued for the @antv registry compromise. Software Composition Analysis tools that rely on known-vulnerable-version databases will produce no alert for packages infected via account compromise rather than code vulnerability injection.
Sector Implications
Communications and AI sector: The direct compromise of developer devices at OpenAI and Mistral AI, combined with the targeting of AI tool credential paths, represents an intentional escalation into AI infrastructure. Organisations deploying LLM APIs in production pipelines should audit whether any CI/CD environments ran affected npm packages during May 11–19 and treat any environment that did as fully compromised.
Finance and cloud-native operations: The credential sweep covers cloud access keys comprehensively. Any financial services organisation using @tanstack or @antv packages in development or build pipelines faces potential exposure of cloud infrastructure credentials, with downstream risk ranging from data exfiltration to ransomware deployment in cloud environments.
Critical infrastructure (developer tooling): The open-sourcing of the worm represents the most significant systemic risk. TeamPCP’s campaign demonstrated a replicable playbook — GitHub Actions misconfiguration → cache poisoning → OIDC token extraction → trusted npm publication — that has now been documented and distributed. Expect derivative campaigns targeting additional ecosystems (PyPI, Go modules, NuGet) in the coming weeks.
Recommended Actions
- Audit CI/CD pipeline dependency history: Identify any
@tanstack/*or@antv/*packages installed between May 11 and 19. Any environment that installed these packages should be treated as fully compromised and all credentials rotated. - Remediate GitHub Actions misconfigurations: Remove
pull_request_targettriggers from workflows with access to secrets or OIDC tokens. Apply minimum-privilegepermissionsdeclarations to all workflow jobs. Implement runtime monitoring (StepSecurity harden-runner or equivalent). - Apply CISA KEV deadlines: CVE-2026-48027 and CVE-2026-45321 require remediation by June 10; CVE-2026-8398 requires remediation by May 30.
- Monitor for post-compromise persistence: The worm drops a Python-based backdoor polling GitHub for signed C2 messages. Endpoint detection should flag
~/.local/share/kitty/cat.pyand anomalous Python processes polling external GitHub repositories. - Block known C2 infrastructure:
t.m-kosche.comis confirmed C2. The attacker also uses GitHub’s own API as a dead-drop through theantvis/G2repository.