Any developer who installed one of 172 compromised npm or PyPI packages since May 11 should treat their machine as breached. The Mini Shai-Hulud worm, attributed to threat group TeamPCP, harvests AWS keys, SSH private keys, GitHub tokens, Kubernetes service accounts, password manager vaults, and now Claude and Kiro AI agent configurations including MCP server auth tokens. Removing the package does not remove the worm. It plants persistence hooks in .claude/settings.json and .vscode/tasks.json that re-execute every time a developer opens a project, plus a system daemon that survives reboots. On Linux CI runners it reads /proc/pid/mem directly to extract masked secrets. One npm token description left by the worm reads: 'IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner.' That is not a bluff. Wiz confirmed a destructive daemon wipes the home directory on token revocation.
The attack is technically precise. Between 19:20 and 19:26 UTC on May 11, the worm published 84 malicious versions across 42 TanStack npm packages, all carrying valid SLSA Build Level 3 provenance attestations. The provenance was real. The packages were poisoned. The attacker forked TanStack/router, triggered a pull_request_target workflow to execute fork code on TanStack's runner, poisoned the GitHub Actions cache, and waited for a legitimate maintainer to merge to main. The release workflow restored the poisoned cache, attacker binaries extracted the OIDC token from runner memory, and 84 signed packages reached the registry before tests even failed. 'OIDC scope is the actual control that matters here, not provenance, not 2FA,' said Peyton Kennedy, senior security researcher at Endor Labs. The campaign crossed from npm into PyPI within hours, with Microsoft Threat Intelligence confirming the mistralai Python package v2.4.6 executes malicious code on import, not install, bypassing npm lockfile controls entirely. Late on May 12, the fully weaponized worm code was reportedly open-sourced, meaning any threat actor can now deploy the same chain against any misconfigured pipeline.
Security teams should run two checks immediately: find . -name 'router_init.js' -size +1M and grep for commit hash 79ac49eedf774dd4b0cfa308722bc463cfe5885c in package-lock.json. A hit means isolate and image the machine first, rotate credentials second. Do not revoke tokens before the host is forensically preserved. Block filev2.getsession[.]org and git-tanstack[.]com. Longer term, OIDC trusted publishing must be pinned to specific workflows on specific protected branches, cache keys must be isolated per trust boundary, and Python AI/ML pipelines need the same scrutiny applied to JavaScript dependencies. Most critically: AI coding agent config directories like .claude/ and .kiro/ must now be treated as credential stores on par with cloud key vaults. The worm figured that out before most security teams did.
