Unveiling the Shai-Hulud Worm: Anatomy of a Provenance-Backed Supply Chain Attack

Introduction: A New Breed of Supply Chain Attack

In May 2025, the software supply chain suffered one of its most sophisticated attacks to date. Dubbed Shai-Hulud, this worm exploited trusted publishing and provenance attestation—security features designed to protect open-source ecosystems—to distribute malicious packages across npm and PyPI. The campaign, which began on May 11, ultimately compromised 172 packages and 403 malicious versions, affecting an estimated 518 million cumulative downloads. This article dissects how the attack worked, what the worm did, and what organizations can do to defend against similar threats.

The Attack Chain: From Fork to Malicious Packages

The Initial Breach: TanStack’s Repository

The attack targeted TanStack, a popular open-source project with packages like @tanstack/react-router (12.7 million weekly downloads). On May 10, an attacker forked the TanStack/router repository under the name zblgg/configuration—a name chosen to evade detection by fork-list scanners. A seemingly benign pull request triggered a pull_request_target workflow that checked out fork code and executed a build. This gave the attacker code execution on TanStack’s GitHub Actions runner.

Chaining Vulnerabilities

The attacker exploited three vulnerabilities in sequence:

• Misconfigured OIDC scope that trusted the entire repository instead of specific branches or workflows.
• A pull_request_target workflow that automatically ran code from forks, bypassing branch protections.
• The ability to forge SLSA Build Level 3 provenance attestations—the highest trust level—by using a valid OIDC token from the compromised repository.

“TanStack had the right setup on paper: OIDC trusted publishing, signed provenance, 2FA on every maintainer account. The attack worked anyway,” noted Peyton Kennedy, senior security researcher at Endor Labs. “What the orphaned commit technique shows is that OIDC scope is the actual control that matters here.”

The Shai-Hulud Worm: Capabilities and Persistence

Credential Harvesting at Scale

Once installed—either by importing a malicious npm/PyPI package or via a compromised development environment—the worm scanned over 100 file paths for credentials. Its targets included:

• AWS keys, SSH private keys, and npm tokens
• GitHub Personal Access Tokens (PATs)
• HashiCorp Vault tokens and Kubernetes service accounts
• Docker configuration files, shell history, and cryptocurrency wallets
• Password managers like 1Password and Bitwarden—a first for this campaign group
• AI agent configurations for Claude and Kiro, including MCP server authentication tokens

Persistence Beyond Package Removal

Critically, the worm did not disappear when the malicious package was uninstalled. It established persistence in three ways:

1. Project-level hooks: Injected configuration into .claude/settings.json (Claude Code) and .vscode/tasks.json (VS Code), with runOn: folderOpen triggers that re-executed every time the project was opened.
2. System daemon: Installed a LaunchAgent on macOS or a systemd service on Linux, surviving reboots.
3. CI runner memory reads: On Linux-based CI runners, the worm directly read /proc/pid/mem to extract secrets—including masked ones—from running processes.

If an administrator revoked tokens before isolating the infected machine, a destructive daemon wiped the user’s home directory.

Impact and Scale: A Fast-Moving Campaign

The attack unfolded rapidly. Between 19:20 and 19:26 UTC on May 11, the worm published 84 malicious versions across 42 @tanstack/* npm packages. Within 48 hours, the campaign expanded to 172 packages across 403 malicious versions on npm and PyPI (tracked by Mend).

The most affected package, @tanstack/react-router, alone accounts for 12.7 million weekly downloads. The vulnerability is assigned CVE-2026-45321 with a CVSS score of 9.6 (critical). OX Security reported that 518 million cumulative downloads were potentially exposed to the malicious versions—each of which carried a valid SLSA Build Level 3 provenance attestation. “The provenance was real. The packages were poisoned,” confirmed security researchers.

Lessons Learned and Proactive Defenses

Rethink OIDC and CI/CD Trust

The attack’s root cause was an overly permissive OIDC scope. Organizations should configure their CI/CD pipelines to trust only specific workflows on specific branches, not entire repositories. Additionally, avoid using pull_request_target for code from forked repositories unless the workflow is fully sandboxed.

Strengthen Credential Hygiene

Given the worm’s ability to harvest credentials from diverse sources, developers should:

• Use short-lived, scoped tokens wherever possible.
• Avoid storing plain-text credentials in configuration files or shell history.
• Invest in credential scanning tools that monitor file paths common to attacks.

Incident Response for Supply Chain Attacks

If your environment imported any of the 172 compromised packages, assume the machine is compromised. Do not simply remove the package—the persistence mechanisms remain. Isolate the system, rotate all credentials (including API keys, tokens, and passwords), and perform a forensic analysis of project files and system daemons.

For more details on securing your CI/CD pipeline, see our guide on preventing pull_request_target exploits and our checklist for OIDC configuration.

The Shai-Hulud worm demonstrates that even the most advanced security controls—provenance attestation, 2FA, and OIDC—can be subverted if the attack chain targets the assumptions behind those controls. A combination of strict CI/CD policies, robust credential management, and rapid incident response is essential to defend against this new generation of supply chain threats.