Overview
- The Mini Shai‑Hulud campaign, which hit Monday, pushed more than 370 malicious package versions across over 170 npm and PyPI projects in roughly five hours.
- It chained a risky pull_request_target workflow, GitHub Actions cache poisoning, and runtime theft of an OIDC token to publish through legitimate pipelines with valid SLSA provenance.
- The injected payload, a ~2.3 MB file known as router_init.js, harvested credentials, planted persistence in VS Code and Claude Code, and sent stolen data via the Session network, a typosquat domain, and attacker GitHub dead‑drops.
- TanStack saw 84 malicious versions across 42 packages and received CVE‑2026‑45321, while UiPath packages, Mistral AI and Guardrails AI on PyPI, the OpenSearch JS client, and Squawk packages were also hit.
- Registries and projects removed or quarantined bad releases, and researchers urge teams to treat installs during the window as compromised, rotate all secrets, audit GitHub Actions and OIDC settings, and add install‑time behavior checks since provenance alone cannot flag a poisoned build.