Malicious TanStack: The Shai Hulud Attack on Mistral npm Packages

A recent supply-chain attack campaign known as Shai-Hulud has targeted hundreds of packages on npm and PyPI, distributing credential-stealing malware aimed at developers. The attacker exploited valid OpenID Connect tokens to release malicious package versions with verifiable provenance attestation. Initially attributed to the TeamPCP threat group, the attack began by compromising TanStack and Mistral AI packages before expanding to other popular projects like Guardrails AI, UiPath, and OpenSearch.

The Shai-Hulud campaign, which surfaced last September, has had multiple iterations, with some instances exposing developer secrets in GitHub repositories. The attack wave intensified with the publication of multiple malicious packages in the TanStack namespaces on npm, spreading to other projects using stolen CI/CD credentials.

Security firms such as Endor Labs, Aikido, and Socket have identified numerous compromised packages across npm and PyPI. According to TanStack’s post-mortem report, the attackers exploited vulnerabilities in GitHub workflows, GitHub Actions, and OIDC token theft to publish 84 malicious versions across 42 TanStack packages with seemingly legitimate provenance.

The malware deployed in the attack targets various developer secrets, including GitHub Actions tokens, Git credentials, npm publish tokens, AWS Secrets Manager, Kubernetes credentials, SSH keys, and more. The malicious payload reads process memory to gather credentials associated with cloud providers, cryptocurrencies, and messaging apps, using the Session P2P network for exfiltration.

Once installed, the malware embeds itself into developer environments, making it challenging to remove. It leverages stolen credentials to modify tarballs, inject the payload, and republish malicious versions. Despite variations in the trigger mechanism for TanStack and Mistral AI packages, they deliver the same credential-stealing payload.

A Microsoft Threat Intelligence analysis revealed that a malicious Mistral AI package on PyPI delivered an information-stealing malware named ‘transformers.pyz,’ designed to avoid executing on hosts with Russian language settings and potentially wiping machines from Israel or Iran. The behavior mirrors the CanisterWorm campaign, which targeted Kubernetes platforms based on geographic parameters.

To address the threat, developers are advised to check for affected package versions, rotate all credentials, audit IDE directories for malicious files, and block the threat actor’s infrastructure. Security measures such as verifying provenance, behavioral analysis at install time, and enforcing lockfile-only installs are recommended to mitigate similar attacks in the future.

In conclusion, the Shai-Hulud supply-chain attack underscores the importance of vigilance and proactive security measures to safeguard against evolving threats in the software supply chain.