New Supply Chain Campaign Compromises AI, DevOps, and Open-Source Packages Across npm and PyPI

A new large-scale software supply chain campaign linked to the TeamPCP threat actor and the Mini Shai-Hulud malware family has compromised dozens of packages across the npm and PyPI ecosystems, including projects associated with:

• TanStack
• Mistral AI
• Guardrails AI
• OpenSearch
• UiPath
• additional developer-focused libraries

According to multiple security researchers, the campaign combines:

• malicious package publishing
• GitHub Actions abuse
• OIDC token manipulation
• credential theft
• IDE persistence
• CI/CD propagation techniques

The incident is especially significant because it abuses legitimate software delivery mechanisms and trusted publishing workflows.

What Happened

The compromised packages include obfuscated JavaScript payloads designed to:

• profile execution environments
• steal credentials and access tokens
• collect GitHub tokens
• extract cloud secrets
• target AI tooling and CI/CD environments

Stolen information is exfiltrated through several channels, including:

• Session Protocol infrastructure
• attacker-controlled GitHub repositories
• external command-and-control domains

Researchers also observed malware functionality capable of:

• injecting malicious GitHub Actions workflows
• establishing persistence inside VS Code and Claude Code
• creating automated token monitoring services
• compromising downstream packages

Attack Chain

In the TanStack-related compromises, attackers reportedly abused:

• pull_request_target workflows
• GitHub Actions cache poisoning
• OIDC token extraction from CI runners
• trusted publishing mechanisms

Rather than stealing npm publish tokens directly, the attackers generated short-lived publish tokens during workflow execution using GitHub OIDC integrations.

This allowed:

• malicious package publishing
• valid provenance signing
• abuse of legitimate release pipelines

Researchers describe this as one of the first documented cases of malicious packages carrying valid SLSA provenance attestations.

Scale of the Campaign

According to public reporting:

• more than 170 packages were affected
• both npm and PyPI ecosystems were targeted
• cumulative downloads exceeded 500 million
• hundreds of repositories containing stolen credentials were created

The campaign impacted:

• AI tooling
• frontend ecosystems
• automation frameworks
• CI/CD tooling
• developer infrastructure
• search platforms

New Aggressive Behaviors

One of the most concerning additions is a destructive “dead-man’s switch.”

The malware periodically checks whether attacker-created npm tokens remain active. If tokens are revoked before containment and isolation procedures are completed, destructive routines may be triggered.

Researchers also identified:

• geofenced destructive behavior
• anti-analysis logic
• country-aware execution paths
• Russian locale avoidance

Why It Matters

This campaign reflects a broader shift from:

• isolated package compromise

to:

• identity-driven CI/CD propagation

The primary risk is no longer just malicious package uploads, but compromise of:

• software delivery pipelines
• trusted workflows
• developer identities
• automation infrastructure

Much of the activity appears operationally legitimate, significantly complicating detection.

DIAMATIX Perspective

This incident highlights the growing importance of securing:

• CI/CD environments
• GitHub Actions workflows
• OIDC integrations
• developer endpoints
• software supply chains

Traditional security controls are increasingly insufficient because:

• payloads execute inside trusted workflows
• publishing activity appears legitimate
• malicious actions originate from valid infrastructure
• signed packages may still be malicious

Visibility into build behavior, workflow execution, and token usage is becoming critical.

CISO Analysis

This campaign demonstrates that modern software supply chain security is no longer limited to dependency scanning.

Organizations need visibility into:

• workflow execution anomalies
• OIDC token usage
• suspicious package publishing activity
• runtime build behavior
• IDE persistence mechanisms
• developer credential access patterns

Particular attention should be given to:

• branch protections
• workflow scoping
• OIDC restrictions
• behavioral monitoring inside CI/CD environments

What this means for your environment

• This type of attack relies on trusted CI/CD workflows and compromised developer identities, not only malicious package uploads
• Detection depends on visibility into build pipelines, token usage, and workflow behavior
• Response requires rapid isolation of developer environments and forensic analysis of CI/CD infrastructure

Would your environment detect malicious activity inside trusted GitHub Actions workflows?
Do you have visibility into abnormal OIDC token usage and package publishing behavior?
See how modern supply chain campaigns are analyzed and handled in operational environments.

Sources

• Aikido Security
• Endor Labs
• SafeDep
• Socket Security
• StepSecurity
• Snyk
• Wiz Research
• Microsoft Threat Intelligence
• OX Security
• Public advisories from affected projects

This article is based on publicly available threat intelligence information as of May 2026.