In a brazen and highly automated assault, the threat group TeamPCP executed a sophisticated supply chain attack on multiple npm and PyPy ecosystems, compromising over 170 packages within hours. The attack, which took place on May 11, targeted popular libraries used by developers worldwide, including Mistral AI's SDK and the TanStack Router suite. By leveraging a dangerous GitHub Actions trigger, the attackers bypassed traditional credential theft and deployed worm-like malware to spread rapidly. Here are the ten key facts you need to understand about this incident.
1. The Scope of the Compromise
The attack affected 170 npm packages and a handful of PyPi packages, with numbers varying by source: Aikido Security counted 373 package versions across 169 namespaces, while SafeDep identified 404 versions across 170 npm packages plus two PyPi packages. The entire TanStack Router ecosystem (@tanstack) of 42 packages was compromised, along with Mistral AI's SDK (both npm and PyPi), @squawk (87 packages), @uipath (66 packages), @tallyui (30 packages), and @beproduct (18 packages). This wide reach demonstrates the attackers' ability to target multiple high-value dependencies simultaneously.
2. The Automated Mini Shai-Hulud Malware Platform
The attack propagated with alarming speed thanks to Mini Shai-Hulud, an automated malware platform with worm-like capabilities. Analysis revealed that once the attackers gained initial access, the malware spread autonomously across package ecosystems, hijacking legitimate release pipelines. This automation allowed the compromise to escalate within hours, catching many maintainers and security teams off guard. The platform's design prioritizes rapid dissemination over stealth, as TeamPCP knew their window of opportunity would be short before detection.
3. Exploiting the pull_request_target Trigger
Instead of stealing maintainer credentials directly, TeamPCP exploited a risky GitHub Actions feature called pull_request_target. This trigger allows third-party workflows to run automatically, reducing maintainer approval fatigue but exposing short-lived OIDC tokens. By scraping these tokens, the attackers gained enough privileges to inject malware into the project's release pipelines. This technique bypasses typical security measures like multi-factor authentication and token rotation, making it a particularly insidious vector for supply chain attacks.
4. The Malware's Primary Goal: Credential Theft
Once inside the pipeline, the Mini Shai-Hulud malware focused on stealing developer credentials. Its payload targets GitHub tokens, npm tokens, cloud credentials, API keys, Kubernetes service accounts, and SSH keys. By harvesting these secrets, TeamPCP could extend their attack to other systems and repositories, potentially compromising entire development environments. The malware also exfiltrated data via encrypted channels, making detection by network monitoring tools more difficult.
5. The Dead Man's Switch: A Nasty Surprise
A particularly malicious feature of the malware is the dead man's switch. This component continuously monitors whether a stolen GitHub token has been revoked. If a developer or security team invalidates a compromised token, the dead man's switch triggers a destructive action: it attempts to delete the user's entire home directory. This retaliatory mechanism punishes incident response efforts and creates additional chaos. It also serves as a deterrent, making victims hesitate before revoking tokens even after detection.
6. Previous TeamPCP Attacks on Notable Projects
TeamPCP has a history of targeting high-profile software supply chains. In April, they compromised the command-line version of the Bitwarden password manager, a widely used security tool. A month earlier, they hit Aqua Security's Trivy open-source vulnerability scanner, which later led to a data breach at the EU's Europa.eu web hub. These repeated attacks show a pattern: TeamPCP focuses on popular tools where they can maximize downstream impact, especially those with large user bases in the developer community.
7. Attack Timing Aimed at US Developers
According to Abhisek Datta, founder of SafeDep (one of the first vendors to detect the compromise), TeamPCP deliberately timed the campaign to target US working hours. The attackers understood that high-profile breaches trigger swift industry responses. By focusing on US developers—who are more likely to be active during those hours—they aimed to maximize the number of credentials stolen before detection. This strategic timing suggests a calculated effort to extract value within a short operational window.
8. Detection by Automated Security Tools
Several vendors running automated security tools noticed the attack within hours. SafeDep and Aikido Security were among the first to flag the anomalous activity. Their monitoring systems identified unusual package version bumps and suspicious code additions in real time. This rapid detection helped limit the attack's lifespan, but not before hundreds of package versions were compromised. The incident highlights the importance of automated supply chain security monitoring for any organization that relies on open-source dependencies.
9. Impact on TanStack Router and Mistral AI Ecosystems
TanStack Router, a routing library extremely popular among React web application developers, saw all 42 of its @tanstack packages compromised. This means any project that updated or installed these packages during the attack window could have been infected. Similarly, Mistral AI's SDK suite—essential for developers integrating Mistral's language models—was hit on both npm and PyPi. The compromise of such widely used libraries amplified the attack's reach, potentially affecting thousands of downstream applications.
10. Lessons for Maintainers and Developers
This incident underscores several critical lessons. First, GitHub Actions workflows using pull_request_target must be carefully audited to avoid token exposure. Second, maintainers should implement strict access controls and monitor for unexpected build triggers. Third, developers should rotate credentials regularly and use short-lived tokens where possible. Finally, automated security scanning of dependencies—before and after updates—can catch supply chain attacks early. TeamPCP's success shows that even well-maintained projects can fall victim, making proactive defense essential.
The swift action of security vendors and community response limited the damage, but the attack serves as a stark reminder that supply chain threats are evolving. By understanding how TeamPCP operates—from exploiting GitHub Actions quirks to deploying worm-like malware—the developer community can better prepare for future assaults. As malicious actors grow more sophisticated, vigilance and automated security measures will be key to protecting the open-source ecosystem.