Mini Shai Hulud, the April supply chain attack campaign targeting SAP packages, is back – hitting npm packages with tens of millions of downloads, and the Python Package Index (PyPI) repository.

Attackers under the name Team PCP relaunched the Mini Shai Hulud campaign, a self-propagating supply chain attack that spreads by stealing CI/CD secrets.

Packages maintained by TanStack and Mistral AI’s official TypeScript client for its platform are among those affected.

Aikido Security Researcher Raphael Silva said: “The important part is not only the number of packages, but where they run. These packages are likely to be installed in local developer environments, CI jobs, release workflows, and internal build systems" – where git tokens, cloud credentials, Kubernetes service account tokens, and deployment secrets live.

Team PCP is described by Wiz as "a financially motivated threat actor specializing in cloud-native infrastructure compromise. First tracked in late 2025, the group conducts worm-driven campaigns targeting exposed Docker APIs, Kubernetes clusters, and CI/CD pipelines."

Aikido has found the malware in at least 169 packages and 373 package-version entries, including MistralAI PyPI package v2.4.6, 83 TanStack npm package versions, and 87 package versions of Squawk.

Shai Hulud’s path

The Mini Shai Hulud malware first emerged in April targeting at least four packages in the SAP npm ecosystem and was quickly flagged.

The attack re-emerged this week with Step Security spotting the attack in npm packages for TanStack, a widely used group of open-source web development tools.

According to a post-mortem by TanStack, the attacker forked TanStack/router at 17:16 on May 10 and authored a malicious commit in the hours after.

Following that initial breach, the campaign quickly spread within the npm ecosystem to packages for OpenSearch and squawk, and was identified in PyPI packages for mistralai and guardrails-ai.

Across all its packages – including those not affected by the attack – TanStack sees around 56 million weekly downloads, Squawk has tens of thousands, and the affected opensearch package was downloaded 86,334 times in the last seven days.

On how the incident differs from the earlier SAP attack, Silva said: "The SAP wave was smaller in package count but still high impact because it touched enterprise build tooling.

"This wave is broader. TanStack packages are widely used in modern JavaScript applications, especially routing and full-stack React tooling. A compromised package in that part of the dependency tree can land in a lot of places quickly."

The malicious package primarily activates a credential stealer, which Wiz researchers said targets CI/CD tokens in GitHub Actions OIDC, GitLab and CircleCI, cloud credentials in AWS IMDSv2, GCP and Azure, Kubernetes service accounts, HashiCorp Vault, and package registry tokens.

What was hit?

According to Aikido, the following packages and namespaces were hit by the campaign, as of May 12, 2026. Developers are advised to rotate secrets from any environment where a compromised package was run.

The full list of versions affected is available here.

  • @squawk/
  • @tanstack/
  • @uipath/
  • @tallyui/
  • @beproduct/nestjs-auth
  • @mistralai/
  • @draftauth/
  • @draftlab/
  • @taskflow-corp/cli
  • @tolka/cli
  • @ml-toolkit-ts/
  • @mesadev/
  • @dirigible-ai/sdk
  • @supersurkhet/
  • unscoped packages listed above, including safe-actionts-dnacross-stitchcmux-agent-mcpagentwork-cligit-branch-selectorwot-apigit-git-gitnextmove-mcp, and ml-toolkit-ts

Microsoft’s Threat Intelligence team said on Tuesday it was investigating the Mistral AI PyPI compromise. In a post on X, the team said the code injected in the PyPI packages executes on import and downloads a malicious transformers.pyz file before launching a second-stage payload on Linux.

"The main payload is a credential stealer, but it also includes country-aware logic; it avoids Russian-language environments and contains a geo fenced destructive branch that has 1-in-6 chance of executing rm -rf / when the system appears to be in Israel or Iran," Redmond's team said of the PyPI attack.

What now?

For environments that downloaded the mistralai package, security teams are advised to “isolate affected Linux hosts, block 83[.]142[.]209[.]194, hunt for /tmp/transformers.pyz, pgmonitor[.]py, and pgsql-monitor.service, and rotate exposed credentials.”

As of the morning of May 12, the mistralai PyPI package remains quarantined.

Socket advised all potentially affected security teams to “Run shasum -a 256 on all router_init.js files in your dependency tree. Match against ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c. “

Systems affected by any of the packages identified as compromised should also rotate npm tokens and package publishing access, GitHub PATs and GitHub Actions secrets, cloud credentials, Kubernetes service account tokens, Vault tokens and deployment secrets. Aikido published the IOCs here.

The link has been copied!