![](\"https://images.ctfassets.net/jdtwqhzvc2n1/3Fpkq8k1bNbp4FzvFx6VNs/d5acd06709dd0292e387c70978080a44/worm.png?w=300&q=30\")
It is crucial to treat any development environment that has installed or imported one of the 172 compromised npm or PyPI packages published since May 11 as potentially compromised. The worm, as described in the StepSecurity blog, is capable of harvesting various credentials from affected developer workstations, including AWS keys, SSH private keys, npm tokens, GitHub PATs, HashiCorp Vault tokens, Kubernetes service accounts, Docker configs, shell history, and cryptocurrency wallets. Notably, it now targets password managers such as 1Password and Bitwarden for the first time in a TeamPCP campaign, as reported by SecurityWeek.
Furthermore, the worm is designed to steal Claude and Kiro AI agent configurations, along with MCP server auth tokens for external services connected to an agent. What sets this attack apart is that even after the compromised package is removed, the persistence mechanisms installed by the worm remain. These persistence mechanisms include settings in Claude Code (.claude/settings.json) and VS Code (.vscode/tasks.json with runOn: folderOpen), as well as a system daemon (macOS LaunchAgent / Linux systemd) that survives reboots. These components are stored in the project tree, not in node_modules, making them challenging to detect and remove. Additionally, on CI runners, the worm can access runner process memory directly on Linux-based runners to extract secrets, including masked ones.
The Mini Shai-Hulud worm, which first appeared between 19:20 and 19:26 UTC on May 11, quickly spread across 42 @tanstack/* npm packages, totaling 84 malicious versions. Within 48 hours, the campaign expanded to 172 packages across 403 versions on npm and PyPI, as reported by Mend. One of the heavily impacted packages, @tanstack/react-router, receives 12.7 million weekly downloads. The severity of the attack is highlighted by the presence of CVE-2026-45321 with a CVSS score of 9.6, affecting a cumulative 518 million downloads, according to OX Security.
Security researchers have analyzed the attack chain that led to the compromise, revealing how the attacker leveraged vulnerabilities in the CI/CD pipeline to execute the attack successfully. The postmortem by TanStack details the sequence of events, starting with the forking of the TanStack/router repository and culminating in the publication of malicious packages on npm. These findings underscore the need for a thorough audit of CI/CD workflows to identify and address potential vulnerabilities.
As the attack evolved, it crossed over from npm to PyPI, with the mistralai PyPI package v2.4.6 being identified as executing on import, not install, as confirmed by Microsoft Threat Intelligence. Mistral AI released a security advisory acknowledging the impact of the compromised npm packages and the subsequent release of the PyPI package. While Mistral’s infrastructure remained uncompromised, the incident highlights the need for heightened security measures across all package registries.
