Massive Supply Chain Worm Targets npm and PyPI: Over 500M Downloads Affected

A devastating supply chain attack has compromised over 172 npm and PyPI packages, affecting an estimated 518 million cumulative downloads, security researchers reported today. The worm, dubbed Mini Shai-Hulud, steals credentials from developers' machines and CI systems, persisting even after package removal.

According to Mend's tracking, the campaign began May 11 with 84 malicious versions across 42 @tanstack/* npm packages, then ballooned to 403 malicious versions across 172 packages within 48 hours. The worm harvests credentials from over 100 file paths, including AWS keys, SSH private keys, GitHub tokens, and cryptocurrency wallets.

For the first time in a TeamPCP campaign, it targets password managers including 1Password and Bitwarden, SecurityWeek reports. It also steals configuration from Claude and Kiro AI agents, including MCP server auth tokens for every external service.

The Persistence Mechanism

The worm does not leave when the malicious package is removed. It installs persistence in Claude Code (.claude/settings.json) and VS Code (.vscode/tasks.json with runOn: folderOpen), re-executing every project open. It also creates a system daemon (macOS LaunchAgent or Linux systemd) that survives reboots.

On CI runners, the worm reads runner process memory directly via /proc/pid/mem to extract secrets, including masked ones, on Linux-based runners. Wiz's analysis found a destructive daemon that wipes the home directory if tokens are revoked before machine isolation.

"TanStack had the right setup on paper: OIDC trusted publishing, signed provenance, 2FA on every maintainer account. The attack worked anyway," Peyton Kennedy, senior security researcher at Endor Labs, told VentureBeat. "What the orphaned commit technique shows is that OIDC scope is the actual control that matters here, not provenance, not 2FA."

Background: The Orphaned Commit Attack

TanStack's postmortem details the kill chain. On May 10, the attacker forked TanStack/router under the name zblgg/configuration. A pull request triggered a pull_request_target workflow that checked out fork code and ran a build, giving code execution on TanStack's runner.

The attacker then poisoned the GitHub Actions cache to push malicious versions. All malicious packages carried valid SLSA Build Level 3 provenance attestations, which were real because the attacker had legitimate publish tokens via the compromised workflow.

The vulnerability, CVE-2026-45321 (CVSS 9.6), was chained with two others to create the worm. OX Security reported the 518 million cumulative downloads figure as an upper bound of affected packages.

What This Means for Enterprises

Any development environment that installed or imported one of the 172 compromised packages since May 11 should be treated as potentially compromised. The worm's persistence and memory-reading capabilities mean that simply revoking credentials is not enough.

Organizations must isolate affected machines, rotate all credentials from a clean system, and review CI/CD pipeline access scopes. The attack demonstrates that OIDC scope—not provenance or 2FA—is the critical control for publish pipelines.

"If your publish pipeline trusts the entire repository rather than a specific workflow on a specific branch, a commit with no parent history and no branch association is enough to get a valid publish token," Kennedy added. "That's a one-line configuration fix."

Security teams should immediately audit all npm and PyPI dependencies installed after May 11, check for persistence artifacts in project configurations and system daemons, and monitor for unauthorized token usage. The worm's ability to steal AI agent configurations also poses new risks for enterprises using AI assistants.