AI/TLDR

npm Ecosystem · 2026-05-11 · major

Mini Shai-Hulud Worm Hits @mistralai and @tanstack npm Packages — 84 Malicious Versions Published in Six Minutes With Valid SLSA Provenance

Self-spreading npm worm hijacked GitHub Actions OIDC tokens to publish 84 malicious package versions across @tanstack, @mistralai, @uipath, and 160+ scopes. First documented worm whose payloads ship with valid SLSA provenance.

Mini Shai-Hulud npm worm graphic — 160 packages compromised across @tanstack, @mistralai, @uipath

A second wave of the Shai-Hulud npm worm published 84 backdoored versions across @tanstack, @mistralai, and 160+ more packages in a six-minute window on May 11.

Key specs

Malicious versions84
Compromised packages160+
Publish window6 minutes
Weekly downloads tanstack router12M

What is it?

A self-propagating supply-chain attack on the npm registry. The worm targets maintainers' GitHub Actions runners, harvests the short-lived OIDC token that npm trusts as the publisher, then republishes hijacked versions of unrelated packages owned by the same scope. The May 11 wave hit @tanstack/router, @mistralai/mistralai (and the Azure and GCP variants), @uipath, @squawk, @tallyui, @beproduct, and dozens of others.

How does it work?

The attacker forked TanStack/router and opened a PR that defined a fake @tanstack/setup package whose npm prepare hook runs during CI. The hook scans the GitHub Actions runner heap for the OIDC JWT used in the trusted-publisher binding between GitHub and npm, then republishes payload-laden tarballs over that authenticated channel. Because the worm publishes through legitimate OIDC, the malicious tarballs carry valid SLSA provenance — the first documented npm worm with attested malware.

Why does it matter?

Provenance-only defenses do not block this worm. Any team that ran a CI build referencing @mistralai/mistralai 2.2.2 to 2.2.4, @mistralai/mistralai-azure 1.7.1 to 1.7.3, @mistralai/mistralai-gcp 1.7.1 to 1.7.3, or affected @tanstack versions in the last 48 hours should rotate every secret accessible from that pipeline. TanStack's react-router alone has roughly 12M weekly downloads.

Who is it for?

Anyone shipping npm packages via GitHub Actions, plus teams running Mistral or TanStack SDKs in production.

Try it

npm ls @mistralai/mistralai @tanstack/router && npm audit

Sources · 4 outlets

Tags

  • security
  • supply-chain
  • npm
  • mistral
  • tanstack
  • shai-hulud
  • worm
  • oidc
  • ci-cd
  • slsa

← All releases · Learn AI