Mini Shai‑Hulud was a May 2026 supply‑chain worm that hijacked GitHub Actions pipelines to publish malicious versions of 42 TanStack npm packages (84 versions), eventually spreading to 170+ packages across npm and PyPI. The attack used legitimate release pipelines and stolen OIDC credentials to publish malware that...
What happened in the Mini Shai-Hulud supply chain attack involving TanStack and OpenAI, how were two OpenAI employee devices compromised, whMini Shai‑Hulud spread through trusted npm and PyPI packages by abusing automated release pipelines.
AI Prompt
Create a landscape editorial hero image for this Studio Global article: What happened in the Mini Shai-Hulud supply chain attack involving TanStack and OpenAI, how were two OpenAI employee devices compromised, wh. Article summary: The Mini Shai-Hulud incident was a self-spreading supply-chain attack that compromised TanStack npm packages and reportedly involved two OpenAI employee devices, leading OpenAI to rotate affected macOS app signing certif. Topic tags: general, general web, user generated. Reference image context from search candidates: Reference image 1: visual subject "# OpenAI says no user data stolen after supply-chain hackers accessed employee devices. ## OpenAI said it found no evidence that user data was accessed after a supply-chain attack" source context "OpenAI says no user data stolen after supply-chain hackers ... - Mint" Reference image 2: visual subject "Infosecurit
openai.com
The Mini Shai‑Hulud incident in May 2026 became one of the largest modern supply‑chain attacks targeting open‑source developer ecosystems. The campaign compromised widely used npm packages in the TanStack ecosystem and spread across multiple projects on npm and PyPI. During the investigation, OpenAI confirmed that two employee devices were affected, although the company said it found no evidence that customer data was accessed.
The attack demonstrated how modern developer pipelines—especially automated CI/CD publishing—can be abused to distribute malware through trusted software packages.
What Mini Shai‑Hulud Was
Mini Shai‑Hulud is a self‑spreading supply‑chain worm attributed to the threat group TeamPCP. Instead of stealing individual maintainer credentials, the attackers targeted automated release pipelines used by open‑source projects.
In the most visible wave of the campaign on May 11–12, 2026, attackers managed to:
Use compromised OIDC identities to generate valid publishing tokens
Release malicious versions of legitimate packages directly to registries
Because the malware was published through official pipelines, the packages appeared legitimate and even carried valid build provenance attestations, making them difficult for automated security checks to detect.
Studio Global AI
Search, cite, and publish your own answer
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
What is the short answer to "The Mini Shai‑Hulud Supply‑Chain Attack Explained"?
Mini Shai‑Hulud was a May 2026 supply‑chain worm that hijacked GitHub Actions pipelines to publish malicious versions of 42 TanStack npm packages (84 versions), eventually spreading to 170+ packages across npm and PyPI.
What are the key points to validate first?
Mini Shai‑Hulud was a May 2026 supply‑chain worm that hijacked GitHub Actions pipelines to publish malicious versions of 42 TanStack npm packages (84 versions), eventually spreading to 170+ packages across npm and PyPI. The attack used legitimate release pipelines and stolen OIDC credentials to publish malware that steals developer credentials such as cloud keys, GitHub tokens, and CI/CD secrets.
What should I do next in practice?
Developers should audit dependencies installed around May 11–12, 2026, rotate credentials, reinstall from known‑good versions, and ensure macOS allowlists trust OpenAI’s updated signing certificate.
One of the largest targets was the TanStack ecosystem, which includes popular JavaScript libraries used in many web applications.
Within minutes, attackers published 84 malicious versions across 42 @tanstack/* npm packages through the project's legitimate release pipeline.
Installing these versions triggered malicious code during npm lifecycle hooks that downloaded and executed a credential‑stealing payload.
Security researchers later reported that the campaign expanded rapidly:
170+ packages across npm and PyPI were affected
403 malicious package versions were identified during the largest wave
Ecosystems linked to UiPath, Mistral AI, OpenSearch, and Guardrails AI were also impacted
This made Mini Shai‑Hulud one of the most widespread open‑source supply‑chain compromises of 2026.
How the Malware Worked
The malicious packages used standard package‑manager hooks (such as preinstall) to execute code when developers installed them.
Once executed, the malware attempted to collect developer credentials from the infected system. Researchers observed it targeting:
GitHub personal access tokens
npm publishing tokens
Cloud provider credentials (AWS, Azure, GCP)
Kubernetes secrets
HashiCorp Vault tokens
CI/CD environment variables
SSH keys and developer configuration files
These credentials could then be used to compromise additional repositories and publish more infected packages, allowing the worm to propagate through developer infrastructure automatically.
How Two OpenAI Employee Devices Were Affected
During the broader campaign, malicious TanStack npm packages were installed on two OpenAI employee devices within the company’s corporate environment.
OpenAI said the attackers conducted unauthorized access and credential‑focused exfiltration activity on those systems. However, the company reported that its investigation found:
No evidence that customer data was accessed
Only limited credential material was exposed
Public reporting does not provide the exact infection chain or identify which specific TanStack package versions triggered the compromise.
Why OpenAI Rotated macOS App Certificates
Following the incident, OpenAI updated its guidance for organizations that allowlist OpenAI macOS applications.
The company confirmed that the Apple Developer signing identity used by its macOS apps changed as part of its response, requiring some enterprise security policies to be updated.
Important details for administrators:
The Apple Developer Team ID remains the same: 2DC432GLL2
Allowlisting by Team ID may still work without changes
Policies that verify certificate fingerprints or signing organization names may need updating
Organizations using macOS application allowlisting should verify they trust the current OpenAI signing identity rather than older certificates.
Wider Impact on npm and PyPI
The attack highlighted a broader risk in modern software development: automated package publishing pipelines can become attack surfaces.
Unlike traditional supply‑chain compromises that steal maintainer credentials, Mini Shai‑Hulud exploited:
CI/CD automation
Trusted publishing identities
Package registry trust models
Because of this design, malicious releases could appear legitimate and spread quickly across ecosystems.
By the end of the largest wave:
More than 170 npm and PyPI packages had been compromised
Hundreds of malicious versions were published
Multiple developer ecosystems were temporarily affected
What Developers and OpenAI Users Should Do
1. Audit dependencies installed around May 11–12, 2026
Developers should review builds and dependency installs during the window when malicious versions of TanStack packages were published.
2. Remove and reinstall affected packages
If a compromised version was installed:
Remove the dependency
Install a known‑good version
Rebuild the project from clean sources
3. Rotate developer credentials
Because the malware targeted credential material, rotate any secrets that might have been exposed, including:
GitHub tokens
npm or PyPI publish tokens
cloud provider credentials
CI/CD secrets
4. Review GitHub Actions publishing workflows
Projects should audit CI/CD pipelines that publish packages and verify that OIDC trusted publishing configurations are tightly restricted.
5. Update macOS allowlists for OpenAI apps
Organizations running OpenAI desktop tools should ensure their macOS policies trust the updated signing identity used by OpenAI apps.
What This Incident Shows About Modern Supply‑Chain Security
Mini Shai‑Hulud illustrates how modern attacks increasingly target developer infrastructure rather than production systems directly. By compromising the tools and pipelines developers rely on, attackers can distribute malware through trusted software dependencies.
The campaign also demonstrated a troubling new reality: even packages with valid provenance attestations and legitimate publishing signatures can still be malicious if the underlying build pipeline is compromised.
For teams that rely heavily on open‑source dependencies, monitoring dependency changes, isolating build environments, and rotating credentials quickly after incidents have become essential parts of software security.
app.daily.devMini Shai-Hulud Is Back: 172 npm and PyPI Packages...
Comments
0 comments