Stop the Shai-Hulud worm: 6 urgent steps to secure your dev environment

A sophisticated supply chain attack codenamed Shai-Hulud has infiltrated the npm and PyPI ecosystems, compromising 172 packages since May 11 and exposing millions of developer environments to credential theft and persistent malware. The worm does not merely lurk in dependencies—it embeds itself deep into systems, harvesting credentials from over 100 file paths, including AWS keys, SSH private keys, GitHub personal access tokens, and even password manager databases like 1Password and Bitwarden.

The attack’s reach extends beyond traditional targets. It specifically targets AI agent configurations for platforms like Claude and Kiro, capturing MCP server authentication tokens that grant access to external services. Even after package removal, the worm maintains persistence through entries in .claude/settings.json, .vscode/tasks.json, and system daemons on macOS (LaunchAgent) and Linux (systemd). On CI runners, the malware reads process memory directly via /proc/pid/mem to extract secrets, including masked tokens, before potentially triggering a destructive daemon that wipes home directories if tokens are revoked prematurely.

How the Shai-Hulud worm evades detection and spreads relentlessly

The attack’s sophistication lies in its ability to bypass conventional security controls. Between 19:20 and 19:26 UTC on May 11, attackers published 84 malicious versions across 42 @tanstack/* npm packages. Within 48 hours, the campaign escalated to 172 compromised packages spanning 403 versions across both npm and PyPI ecosystems. Notably, @tanstack/react-router, with 12.7 million weekly downloads, and packages like mistralai were weaponized.

A critical factor in the worm’s success is its use of valid SLSA Build Level 3 provenance attestations. Despite maintaining OIDC trusted publishing, signed provenance, and 2FA on maintainer accounts, TanStack’s ecosystem was compromised due to a misconfigured publish pipeline. Peyton Kennedy, senior security researcher at Endor Labs, highlighted in an exclusive interview with VentureBeat that the attack exploited an orphaned commit technique where OIDC scope—rather than provenance or 2FA—served as the actual control point. "If your publish pipeline trusts the entire repository rather than a specific workflow on a specific branch, a commit with no parent history can still obtain a valid publish token," Kennedy explained.

The kill chain: Three vulnerabilities exploited in a single attack

TanStack’s detailed postmortem reveals a meticulously orchestrated attack chain. On May 10, attackers forked the TanStack/router repository under the innocuous name zblgg/configuration to avoid detection via fork-list searches (per Snyk’s analysis). A pull request triggered a pull_request_target workflow that executed code on TanStack’s CI runner, poisoning the GitHub Actions cache. When a legitimate maintainer merged changes to the main branch, the release workflow unwittingly restored the poisoned cache, allowing malicious binaries to read /proc/pid/mem, extract OIDC tokens, and publish directly to registry.npmjs.org. Despite tests failing and the publish step being skipped, 84 signed packages still reached the registry.

The attack combined three distinct vulnerabilities:

• Misconfigured OIDC scope in the publish pipeline
• Abuse of the pull_request_target workflow
• Cache poisoning in GitHub Actions

This combination bypassed existing trust boundaries, demonstrating how attackers recombine tradecraft from prior incidents, such as the March 2025 tj-actions/changed-files compromise, into new, highly effective campaigns.

From npm to PyPI: The worm’s cross-ecosystem leap

Within hours, the Shai-Hulud worm transcended npm boundaries to target PyPI. Microsoft Threat Intelligence confirmed that the mistralai PyPI package version 2.4.6 executes upon import—not installation—downloading a payload disguised as Hugging Face Transformers. This evades npm-specific mitigations like lockfile enforcement and --ignore-scripts flags. Mistral AI issued a security advisory confirming the impact, though the company stated no infrastructure was compromised and that no commits or tags were created on May 11.

The blast radius extends across multiple ecosystems. Wiz documented compromises in 65 UiPath packages, Mistral AI SDKs, OpenSearch, Guardrails AI, and 20 Squawk packages. StepSecurity attributes the campaign to TeamPCP, citing toolchain overlaps with prior Shai-Hulud waves and earlier compromises like Bitwarden CLI and Trivy. Notably, the worm executes under Bun rather than Node.js to evade Node-specific detection mechanisms.

Six actionable steps to neutralize the Shai-Hulud threat

1. Isolate and audit development environments

• Immediately disconnect affected workstations from corporate networks and revoke all exposed credentials, including OIDC tokens, API keys, and secrets stored in password managers.
• Scan for persistence mechanisms in .claude/settings.json, .vscode/tasks.json, and system daemons. Remove any unauthorized entries and verify no hidden processes are running.

1. Implement strict package installation policies

• Enforce lockfile verification and disable script execution during package installation using flags like --ignore-scripts for npm.
• Audit dependency trees for the 172 compromised packages identified in this campaign. Prioritize removal of packages published after May 11 with suspicious version patterns.

1. Reconfigure CI/CD pipelines to block orphaned commits

• Update OIDC publish pipelines to restrict token generation to specific workflows on protected branches. Avoid granting repository-wide publishing permissions.
• Disable the pull_request_target workflow unless absolutely necessary, and implement mandatory manual review for external contributions.

1. Monitor process memory and CI runners

• Deploy runtime detection tools to monitor /proc/pid/mem access on Linux CI runners. Implement behavioral analysis to detect anomalous memory reads.
• Restrict CI runner privileges to minimize the impact of potential memory scrapers.

1. Adopt provenance verification with skepticism

• Treat SLSA Build Level 3 provenance as a baseline, not a guarantee. Cross-reference provenance attestations with repository activity logs and contributor identities.
• Implement multi-factor approval for all package releases, regardless of provenance status.

1. Educate teams on cross-ecosystem risks

• Train developers on the dangers of cross-language supply chain attacks, particularly Python import-time execution vulnerabilities.
• Establish a zero-trust policy for AI agent configurations, regularly auditing MCP server tokens and external service integrations.

The Shai-Hulud worm represents a paradigm shift in supply chain attacks, combining technical sophistication with psychological persistence. As developers and security teams scramble to respond, the lesson is clear: trust must be continuously verified, and security controls must evolve faster than the threats they aim to counter. The next wave of attacks may already be in motion, hidden in plain sight within the dependencies we rely on daily.