Lead story
The Worm That Signed Its Own Warrants: Mini Shai-Hulud's Six-Minute Supply Chain Blitz
In roughly six minutes, a threat actor known as TeamPCP pushed 84 malicious versions of popular npm packages — and they were cryptographically signed, which is the part that should keep you up at night.
The campaign, dubbed Mini Shai-Hulud, targeted packages from TanStack (a widely used React tooling ecosystem), Mistral AI, UiPath, OpenSearch, and Guardrails AI. Each poisoned package contained an obfuscated JavaScript file called router_init.js designed to profile the host environment, harvest credentials, and in some versions, wipe disk contents. The PyPI side of the campaign was running simultaneously.
What makes this different from the usual supply chain nastiness is the signing. Package signing is supposed to be the answer to "how do I know this code is legitimate?" — it's the mechanism that lets developers trust automated dependency updates. When attackers can sign malicious packages, the trust signal inverts. Your pipeline sees a signed package and waves it through. The attacker has turned your security control into a welcome mat.
The Register's reporting describes it as a "cache-poisoning caper" — the attackers appear to have compromised the signing keys or publishing credentials for existing, legitimate packages rather than creating lookalike fakes. That's a materially harder attack to pull off, and a materially harder one to detect.
RubyGems simultaneously locked new account signups after a separate major malicious upload campaign hit the Ruby package ecosystem on the same day. Whether the two are coordinated is unclear, but the timing is striking.
For defenders and developers, the immediate checklist is: audit your dependency lock files for any of the named packages updated in the last 48 hours, rotate credentials on any CI/CD system that may have processed the affected packages, and check your pipeline logs for outbound connections initiated during build steps. The Shai-Hulud campaign specifically targets the build environment — not just end users — so production systems that never directly ran the packages may still be compromised if a developer's machine or CI runner fetched them.
The bigger picture is that this is the third major supply chain incident in two weeks, following the Checkmarx Jenkins plugin compromise and the fake OpenAI Hugging Face repo. The pattern isn't coincidental — attackers have clearly identified the open source package ecosystem as the path of least resistance into enterprise environments. The fact that packages can be signed and still be malicious forces a rethink of what "verified" means in a dependency graph.
Australian organisations using JavaScript or Python toolchains — which is essentially everyone — should treat any TanStack, Mistral AI client libraries, or OpenSearch packages updated in the last week as suspect until verified. The ACSC's guidelines on software supply chain security (updated in 2025) recommend pinning dependencies to known-good commit hashes for critical pipelines, not just version numbers. This is exactly the scenario those guidelines anticipated.
The six-minute window between first push and detection is the real signal here. At that speed, even a well-monitored registry doesn't have time to react before the damage is done.