>_TheQuery
← All Articles

The npm Compromise Proved AI Is Not Safe From AI

By Addy · May 13, 2026

May 11, 2026 marked the day which had both cybersecurity and cyberattack, between 19:20 and 19:26 UTC, a threat actor published 84 malicious package versions across 42 TanStack packages in six minutes.

Not six hours. Six minutes.

The packages looked legitimate. They carried valid cryptographic signatures. They passed SLSA Build Level 3 provenance attestation, the gold standard of supply chain verification, the certificate that is supposed to guarantee a package was built from a trusted source. The security infrastructure that exists precisely to prevent this kind of attack looked at these packages and said: clean.

They were not clean.

The attack was the latest wave of the Shai-Hulud campaign, attributed by researchers to a threat group called TeamPCP. The worm family has been running since September 2025. This was one of its most sophisticated waves. The packages it compromised included TanStack's react-router, Mistral AI's official npm SDK, Guardrails AI, UiPath, OpenSearch, and other developer infrastructure. Prior TeamPCP activity had already touched security tooling such as Bitwarden CLI and Trivy. By May, the campaign was no longer just attacking packages. It was attacking the trust model around packages.

What made this wave different from every previous supply chain attack was not only the scale. It was who the attacker pretended to be.

How the Attack Actually Worked

Understanding the mechanism matters because the sophistication is the point.

On May 10, the day before the attack, the attacker created a fork of the TanStack/router repository and renamed it configuration, a generic name that does not stand out in fork-list searches. The account did not look obviously suspicious. The fork did not look obviously suspicious. The rename was the first layer of camouflage.

The attacker then opened a pull request against TanStack/router. The PR triggered a pull_request_target workflow, a GitHub Actions trigger that runs with base-repository permissions even for PRs from external forks. This is a known misconfiguration pattern, documented for years, present in thousands of repositories because it is easy to misunderstand. The workflow executed the attacker's fork code, which poisoned the shared GitHub Actions runner cache with a malicious pnpm store.

When legitimate TanStack maintainers later merged real PRs to main, the release workflow restored the poisoned cache. Attacker-controlled binaries then extracted OIDC tokens directly from the GitHub Actions runner's process memory, reading from /proc/<pid>/mem at runtime. These tokens were valid, freshly issued, and indistinguishable from tokens generated by a legitimate release pipeline.

The attacker used those tokens to publish malicious package versions to npm under TanStack's own trusted identity. No npm credentials were stolen. No MFA was bypassed. The npm publish workflow was not compromised. The packages were published through TanStack's legitimate pipeline, using TanStack's legitimate identity, carrying TanStack's legitimate cryptographic attestation.

Every security check passed. Every one.

The malicious commit that initiated the attack was authored under the identity claude, using a GitHub noreply address, directly impersonating the Anthropic Claude GitHub App. In a codebase where Claude Code commits appear regularly, a commit from claude raises fewer flags than it should. The attacker knew this. The choice was deliberate.

What the Payload Did

The malware that shipped inside those packages was not opportunistic. It was architected.

On installation, the payload collected credentials from over 100 file paths: GitHub personal access tokens, npm publishing tokens, cloud deployment keys, SSH credentials, CI/CD system secrets, cryptocurrency wallet files, password vaults, seed phrases, and API keys for major cloud providers. It exfiltrated the stolen data through redundant channels, including a typosquat domain at git-tanstack.com, the decentralized Session messenger network to complicate blocking, and GitHub API dead drops using stolen tokens.

On developer machines, the malware installed a persistent daemon, a macOS LaunchAgent or Linux systemd service, that polled GitHub every 60 seconds to check whether stolen tokens were still valid. If it detected that a token had been revoked, the natural first response during incident response, the daemon attempted a destructive wipe routine.

Developers were warned explicitly: do not revoke tokens before isolating and imaging the system. Revocation could trigger the wipe. The malware was designed to punish the correct incident response action.

The geofencing was specific and revealing. The malware checked system language settings and terminated without exfiltrating data on Russian-language systems. In the Python variants, systems appearing to originate from Israel or Iran could trigger a probabilistic sabotage routine.

The payload file was named transformers.pyz. Not randomly. Deliberately, to mimic Hugging Face's Transformers library, the most widely used Python framework in machine learning. In an AI developer's environment, a file called transformers.pyz is invisible noise. It looks like infrastructure.

What Was Actually Targeted

Read the list of compromised packages as a map, not a coincidence.

TanStack react-router. Mistral AI's official SDK. Guardrails AI, a library specifically designed to add safety controls to LLM outputs. UiPath's automation platform. OpenSearch. Prior TeamPCP activity against Trivy and Bitwarden. This is not a random selection of popular packages. This is a deliberate targeting of the AI development stack.

These are packages that AI developers install to build AI products, call AI APIs, add safety guardrails to AI outputs, and scan deployments for vulnerabilities.

Once infection occurred, the malware wrote persistence hooks into Claude Code and VS Code task configurations. Uninstalling the malicious packages did not remove it. The AI coding assistant that developers use to write code became part of the persistence layer for malware targeting those same developers.

The Mistral AI PyPI package received a slightly different payload. The malicious code executed not on installation but on import, meaning every time a developer's application called import mistralai, the malware could run. The secondary payload was again disguised as transformers.pyz and executed silently in the background on Linux systems.

Guardrails AI is the most pointed target. A library that exists to make AI outputs safer was used to deliver malware to the developers trying to make AI outputs safer. The irony is not subtle. Neither was the choice.

The Detection That Saved It, Barely

The incident was detected by StepSecurity AI Package Analyst, an AI-powered monitoring tool that flagged the compromised artifacts within minutes of publication. The attack moved fast. The detection moved fast too.

That sounds like a success. It was a success. It was also a warning.

Every developer who installed an affected package during the active window, or every CI system that resolved one of those versions before removal, received a malicious payload. Six minutes is not a small window when the package being compromised is @tanstack/react-router with more than 12 million weekly downloads.

AI caught an AI-aware attack. Both sides used the same capability curve. The detection was fast enough this time.

The Larger Point Nobody Is Saying Clearly

The Shai-Hulud campaign did not begin in May 2026. It began in September 2025. Eight months of continuous operation against the same ecosystem, escalating in sophistication with every wave.

Wave one: credential harvesting through compromised packages. Wave two: self-replicating propagation using stolen tokens. Later waves: targeting security tooling directly, including Trivy and Bitwarden. May 2026: cryptographically attested malicious packages that pass standard verification checks, targeting AI development infrastructure specifically.

Each wave incorporated the lessons of the previous one. The September 2025 attacks leaned heavily on compromised packages and token theft. By May 2026, the attacker did not need fake packages. They published malicious code under real packages with real signatures and real provenance attestation using real OIDC tokens extracted from real CI/CD pipelines.

This is what the AI cybersecurity threat actually looks like in practice: not a model reasoning about vulnerabilities in the abstract, but an attacker using AI tools, AI trust signals, and AI infrastructure as camouflage for a credential theft campaign that scales horizontally through the dependency graph of an entire ecosystem.

The Daybreak announcement from OpenAI came on May 11, the same day as the TanStack attack. Anthropic's Project Glasswing announced on April 7 that Claude Mythos Preview had found thousands of zero-day vulnerabilities across major operating systems. Both initiatives are real and both address real problems.

Neither of them would have stopped Mini Shai-Hulud.

The TanStack attack did not exploit a zero-day. It exploited a known GitHub Actions misconfiguration pattern that has been documented for years. It bypassed SLSA provenance because SLSA provenance verifies the build pipeline, not the code that the build pipeline is about to run. It persisted through Claude Code hooks because Claude Code, like every development tool, trusts the package ecosystem it runs inside.

The defenses that Glasswing and Daybreak are building, AI-assisted vulnerability discovery, AI-powered code review, AI-generated patches for known CVEs, are the right defenses for a specific class of attack: the class where a capability gap exists between what an attacker can find and what a defender can find. Where the problem is discovery speed.

Mini Shai-Hulud did not exploit a discovery gap. It exploited a trust gap. The trust that developers place in packages with valid signatures. The trust that CI/CD pipelines place in OIDC tokens issued by their own runners. The trust that AI coding tools place in the package ecosystem they are installed into. The trust that incident responders place in token revocation as a safe first response.

The attacker did not need a smarter model. They needed a developer to open a pull request, a GitHub Actions workflow to execute it with base-repository permissions, and six minutes of access to a release pipeline.

What Vibe Coding Has To Do With This

The connection between this attack and the vibe coding infrastructure critique this publication ran two weeks ago is not metaphorical. It is structural.

AI agents generating code run npm install. They install dependencies from the same registry that Mini Shai-Hulud targeted. They run in CI/CD pipelines that use the same GitHub Actions patterns that Mini Shai-Hulud exploited. They commit with identities, including Claude GitHub noreply identities, that Mini Shai-Hulud specifically impersonated as camouflage.

An AI agent running a dependency install in an agentic workflow does not have a developer's intuition about a package that behaves slightly differently than expected. It does not notice that the install took a millisecond longer than usual, or that a new daemon appeared in the process list. It executes the postinstall hook, receives a clean exit code, and continues to the next task.

At agentic scale, every merge event can become a dependency installation event. A supply chain compromise active during working hours reaches a different scale than one discovered after the fact. TeamPCP published the malicious packages at 19:20 UTC, and the timing only needed a few minutes to matter.

The Trust Infrastructure Has Not Caught Up

SLSA provenance failed here because the attacker used legitimate infrastructure to produce legitimate attestations for malicious code. The attestation was real. The code was not. Mini Shai-Hulud is one of the first documented npm worms to produce validly attested malicious packages. The gold standard of supply chain security was not sufficient.

This does not mean SLSA is useless. It means SLSA solves the problem it was designed for, verifying that a package was built from a specific source using a specific pipeline, and the attack operated above that layer, by compromising the pipeline before the build ran.

The tools to reduce this attack surface exist. Package managers such as pnpm now offer stronger consumer-side controls than the npm CLI, including default blocking or strict handling of lifecycle scripts, minimum release-age protections, and controls for unusual dependency protocols. Those controls would have narrowed the install-time attack surface.

The adoption of those tools has not kept pace with the threat. This is the same gap that exists everywhere in this story: between SLSA's deployment and its assumed protection, between GitHub Actions' documented misconfiguration patterns and their presence in thousands of production repositories, between the security scanner Aqua Security built and the fact that scanner itself was compromised in an earlier wave.

Models Are Improving. So Are the Attackers.

Every week in 2026 brings a new benchmark. Claude Opus 4.7 at 87.6% on SWE-bench. DeepSeek V4-Pro beating every closed model on competitive programming. Qwen3.6-27B matching frontier reasoning at a fraction of the cost. The coverage frames this as a race between labs, between open and closed, between East and West.

Mini Shai-Hulud ran a different benchmark. September 2025: credential theft through compromised packages. November 2025: self-replicating propagation using stolen tokens. Early 2026: targeting security tooling itself. May 2026: cryptographically attested malicious packages that pass every verification check, impersonating AI identities, persisting through AI coding tools, targeting the AI development stack specifically.

Multiple waves. Eight months. Each one more sophisticated than the last. The attacker's capability curve is not flat. It is compounding at roughly the same pace as the models everyone is benchmarking.

The frontier labs are not the only ones iterating. TeamPCP iterated too. They moved to OIDC token extraction when credential theft became harder. They added geofencing, redundant exfiltration channels, and a wipe trigger on token revocation when incident response patterns became predictable. They impersonated Claude when AI commit identities became normal enough in codebases to be invisible.

Every defensive improvement the ecosystem made, the attacker studied and routed around. This is not coincidence. This is the same feedback loop that makes models better: observe the failure, adjust the approach, iterate. The difference is that model improvement happens in public, with papers and benchmarks and press releases. Attack improvement happens in the gap between waves, invisible until the next campaign begins.

Daybreak launched the same day as the TanStack attack. Glasswing found thousands of zero-days across major operating systems. StepSecurity AI Package Analyst caught Mini Shai-Hulud within minutes. The defensive tooling is improving in real time and the detection was genuinely fast.

The attacker published 84 malicious package versions in six minutes. Carrying valid cryptographic attestations. Using the victim's own identity. Hiding inside Claude Code. Persisting after cleanup. Prepared for the correct incident response and designed to punish it.

The models getting better is not the story. The story is that the same capability curve that produced Claude Opus 4.7 and DeepSeek V4 is available to everyone, including the people who spent eight months turning a basic credential harvester into a worm that signs its own malicious packages with the victim's legitimate cryptographic identity.

The npm ecosystem is the water table of modern software. Mini Shai-Hulud has been poisoning it for eight months. The next wave is already being prepared using credentials stolen from this one. It will be more sophisticated than this one. It always has been.

Sources:

Previously on TheQuery: The Defenders Just Got Better Tools. So Did Everyone Else. and Vibe Coding Broke GitHub. That Is Not the Surprising Part.