[tech]May 14, 2026 3 min read

Shai-Hulud worm hits npm: 6 steps to protect your enterprise now

The Shai-Hulud worm is the most sophisticated supply chain attack ever documented against npm and PyPI, and if your team installed any of the 172 compromised packages since May 11, you should assume you're already infected. This isn't hyperbole: the malware survives package removal, persists across reboots, and harvests credentials from over 100 file paths across your developer workstations.

How we got here

The TeamPCP campaign has been refining its techniques for months. This attack chained three separate vulnerabilities: a malicious fork of TanStack/router, GitHub Actions cache poisoning, and OIDC token extraction via direct /proc/pid/mem memory reading. The most unsettling part is that TanStack had the right setup on paper: OIDC trusted publishing, signed provenance, and 2FA on every maintainer account. The attack worked anyway.

What exactly happened

Between 19:20 and 19:26 UTC on May 11, the worm published 84 malicious versions across 42 @tanstack/* packages. Within 48 hours, the campaign expanded to 172 packages and 403 malicious versions. CVE-2026-45321 carries a CVSS score of 9.6. OX Security reported 518 million cumulative downloads affected. Every malicious version carried a valid SLSA Build Level 3 provenance attestation. The provenance was real. The packages were poisoned. The worm crossed from npm into PyPI within hours: mistralai==2.4.6 executes on import, not on install, bypassing standard npm mitigations entirely.

The damage goes well beyond classic credentials. The worm steals:

AWS keys, SSH private keys, and GitHub PATs
HashiCorp Vault tokens, Kubernetes service accounts, and Docker configs
Claude and Kiro AI agent configurations, including MCP server auth tokens
Password manager vaults from 1Password and Bitwarden
Cryptocurrency wallets and shell history

What this really means

As Endor Labs senior researcher Peyton Kennedy put it: "OIDC scope is the actual control that matters here, not provenance, not 2FA. If your publish pipeline trusts the entire repository rather than a specific workflow on a specific branch, a commit with no parent history is enough to get a valid publish token. That's a one-line configuration fix." The industry spent years investing in SLSA and package signing under the assumption that build-process trust equaled artifact security. This attack proves it doesn't.

What changes from here

This incident will force a fundamental rethink of how AI coding agents are treated in development environments — the worm explicitly targets them as part of the trusted execution surface, harvesting Claude Code and Kiro configurations as primary objectives. Both npm and PyPI need import-time execution controls that simply don't exist today. Companies relying solely on lockfiles and --ignore-scripts will find those defenses don't cover Python at all.

The 6 actionable steps you need to execute right now:

Audit every environment that installed npm or PyPI packages since May 11
Revoke and rotate credentials after isolating the machine — never before, or a destructive daemon wipes your home directory
Inspect .claude/settings.json and .vscode/tasks.json in every project tree
Check macOS LaunchAgents and Linux systemd units for persistence mechanisms
Restrict OIDC scope to specific workflows and branches across all publish pipelines
Treat mistralai==2.4.6 as compromised and audit any environment that imported it

The real question the industry needs to answer is whether package registries are ready to treat AI agents as a first-class attack surface — because the attackers already do.