The Infamous Credential Stealing Malware Once Again Hits npm & PyPi, Affecting Many Including Mistral AI, OpenSearch Project, TanStack.
Breaking News: Shai-Hulud malware spreads again in npm and PyPi, stealing credentials and self-propagating. Currently with over 170+ packages affected, over 518M monthly downloads in total.
Overview
Shai-Hulud is a self spreading malware, which we extensively researched and wrote about due to its widespread impact. Recent attacks and infections included – PyTorch Lightning & Intercom-Client, SAP npm Packages, and Bitwarden CLI.
This latest variant affecting Mistral AI, OpenSearch Project, TanStack and many others is even more dangerous due to the amount of successful infections around npm.
This version also includes a token monitoring and machine wipe logic, which triggers when the developer tries to revoke the tokens captured or created by the malware.
Who is affected
Anyone who installed the latest npm packages in the last 24h from the following npm namespaces
- @uipath
- @squawk
- @beproduct
- @dirigible-ai
- @draftauth
- @mesadev
- @mistralai
- @ml-toolkit-ts
- @opensearch-project
- @supersurkhet
- @tallyui
- @tanstack
Or any of the following latest npm packages in the last 24h
- agentwork-cli
- cmux-agent-mcp
- cross-stitch
- git-branch-selector
- git-git-git
- ml-toolkit-ts
- nextmove-mcp
- safe-action
- ts-dna
- wot-api
Or any of the following PyPi packages in the last 24h
- mistralai@2.4.6
- guardrails-ai@0.10.1
Impact
- Total affected packages – 170+
- Total accumulated weekly downloads – 177,259,751
- Total accumulated monthly downloads – 518,765,599
- Total GitHub repositories with stolen credentials – 379
- *Containing the “Shai-Hulud: Here We Go Again” string
Recommended Actions
Immediate Actions:
- Rotate your keys and add 2FA to your accounts
- Check for public GitHub repositories containing “Shai-Hulud: Here We Go Again” related strings
- Downgrade the affected packages to a safe version
Treat the machine and any connected token, environment variable and API key as compromised.
Infection Analysis
This new variant is ironically called – “Shai-Hulud: Here We Go Again”, after infecting users, it uploads an encrypted version of the stolen credentials to the victim’s GitHub account under a new repository.
We found 359 repositories with stolen credentials of the new Shai-Hulud variant, and the numbers keep growing as time goes by.
Example of encrypted stolen credentials inside the new repository:
Technical Analysis
The Python infection adds malicious code inside the __init__.py file, which executes when the code is imported – after import, it downloads the payload and executes it.
The Python packages affected – guardrails-ai and mistralai – had a malicious Python code downloaded from the following URLs in order to deliver the credential stealing malware.
https://git-tanstack[.]com/transformers.pyz
https://83[.]142[.]209[.]194/transformers.pyz
After the malware stopped its infections, visiting the above URLs shows a message from TeamPCP
The npm infection is similar to what we’ve seen in the recent Shai-Hulud attacks
package.json – Preinstall hooks point to Bun installation script
setup.mjs – Bun installation script installs Bun and executes an obfuscated JavaScript payload
router_init.js – The JavaScript code extracts credentials, keys, exfiltrates the data to a remote C2 server and to GitHub, and tries to self-spread through npm
Example of package.json with the preinstall script pointing to Bun installation
Example from setup.mjs installing Bun
Example of the obfuscated router_init.js with the malicious code:
The obfuscated code has a multi-layered encryption to ensure domain names and other strings remain obfuscated until the code executes, this makes analysis far more difficult, and gives threat actors the option to have their code executed inside a sandbox in order for analysis to work, which might expose the machine to docker escape and VM escape exploits.
After decoding we see the same malicious actions we’ve already uncovered last month, including credential stealing, self propagating techniques, Russian language check, GitHub upload, and more.
The code now includes the “Shai-Hulud: Here We Go Again” string for the newly created repositories with stolen credentials.
Russian language check
A threat to developers not to revoke the created tokens – “IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner”, adding a persistent backdoor to the local machine, exfiltrating data from the GitHub repository and more
The malware continues to install a token monitor script – which checks if the token is working, if it stops working – the malware executes “rm -rf ~/” on the machine.
The malware sends the stolen credentials to https://git-tanstack[.]com, which is the same URL found in the Python version of the malware containing the malicious payload.
Conclusions
TeamPCP is probably working on a new Guinness category – “most supply chain attacks conducted in one year”.
Last time we said it was accelerating, now we see the impact, over 500M monthly downloads accumulated packages are now affected, while security teams are triaging and updating package versions, TeamPCP are working on the next attack.
They also become more aggressive with their actions, turning it to a wiper malware as well – which we see in the string saying “IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner” – and the actual script to actually wipe the machine if the token is revoked.
Identifying and blocking suspicious patterns such as npm’s preinstall hooks should be a default behavior, and should be only run after users gave explicit permission – if TeamPCP managed to slip through defenses for so many times in a row, our detection capabilities both on the client side and on the npm & PyPi side should be implemented or improved before the next wave hits.
We strongly recommend that security engineers and developers take immediate precautions: Implement time-based install logic to only pull packages older than 24 hours, enforce 2FA across npm, GitHub, and cloud accounts, and treat key rotation as a routine practice rather than an incident response measure.
Affected Packages
| Ecosystem | Name | Version |
| npm | @beproduct/nestjs-auth | 0.1.18, 0.1.19, 0.1.17, 0.1.16, 0.1.15, 0.1.13, 0.1.14, 0.1.8, 0.1.6, 0.1.9, 0.1.2, 0.1.5, 0.1.11, 0.1.4, 0.1.3, 0.1.7, 0.1.10, 0.1.12 |
| npm | @dirigible-ai/sdk | 0.6.3, 0.6.2 |
| npm | @draftauth/client | 0.2.2, 0.2.1 |
| npm | @draftauth/core | 0.13.1, 0.13.2 |
| npm | @draftlab/auth | 0.24.2, 0.24.1 |
| npm | @draftlab/auth-router | 0.5.1, 0.5.2 |
| npm | @draftlab/db | 0.16.2, 0.16.1 |
| npm | @mesadev/rest | 0.28.3 |
| npm | @mesadev/saguaro | 0.4.22 |
| npm | @mesadev/sdk | 0.28.3 |
| npm | @mistralai/mistralai | 2.2.4, 2.2.3, 2.2.2 |
| npm | @mistralai/mistralai-azure | 1.7.3, 1.7.1, 1.7.2 |
| npm | @mistralai/mistralai-gcp | 1.7.3, 1.7.1, 1.7.2 |
| npm | @ml-toolkit-ts/preprocessing | 1.0.2, 1.0.3 |
| npm | @ml-toolkit-ts/xgboost | 1.0.3, 1.0.4 |
| npm | @opensearch-project/opensearch | 3.5.3, 3.8.0, 3.7.0, 3.6.2 |
| npm | @squawk/airport-data | 0.7.8, 0.7.7, 0.7.6, 0.7.5, 0.7.4 |
| npm | @squawk/airports | 0.6.6, 0.6.5, 0.6.4, 0.6.3, 0.6.2 |
| npm | @squawk/airspace | 0.8.5, 0.8.3, 0.8.4, 0.8.2, 0.8.1 |
| npm | @squawk/airspace-data | 0.5.7, 0.5.5, 0.5.6, 0.5.4, 0.5.3 |
| npm | @squawk/airway-data | 0.5.8, 0.5.7, 0.5.6, 0.5.5, 0.5.4 |
| npm | @squawk/airways | 0.4.6, 0.4.4, 0.4.5, 0.4.3, 0.4.2 |
| npm | @squawk/fix-data | 0.6.8, 0.6.7, 0.6.6, 0.6.5, 0.6.4 |
| npm | @squawk/fixes | 0.3.6, 0.3.5, 0.3.4, 0.3.3, 0.3.2 |
| npm | @squawk/flight-math | 0.5.8, 0.5.7, 0.5.6, 0.5.5, 0.5.4 |
| npm | @squawk/flightplan | 0.5.6, 0.5.5, 0.5.4, 0.5.3, 0.5.2 |
| npm | @squawk/geo | 0.4.8, 0.4.7, 0.4.6, 0.4.5, 0.4.4 |
| npm | @squawk/icao-registry | 0.5.6, 0.5.5, 0.5.4, 0.5.3, 0.5.2 |
| npm | @squawk/icao-registry-data | 0.8.8, 0.8.6, 0.8.7, 0.8.5, 0.8.4 |
| npm | @squawk/mcp | 0.9.5, 0.9.4, 0.9.3, 0.9.2, 0.9.1 |
| npm | @squawk/navaid-data | 0.6.8, 0.6.7, 0.6.6, 0.6.5, 0.6.4 |
| npm | @squawk/navaids | 0.4.6, 0.4.5, 0.4.4, 0.4.3, 0.4.2 |
| npm | @squawk/notams | 0.3.10, 0.3.9, 0.3.8, 0.3.7, 0.3.6 |
| npm | @squawk/procedure-data | 0.7.7, 0.7.5, 0.7.6, 0.7.4, 0.7.3 |
| npm | @squawk/procedures | 0.5.6, 0.5.4, 0.5.5, 0.5.3, 0.5.2 |
| npm | @squawk/types | 0.8.5, 0.8.3, 0.8.4, 0.8.2, 0.8.1 |
| npm | @squawk/units | 0.4.7, 0.4.5, 0.4.6, 0.4.4, 0.4.3 |
| npm | @squawk/weather | 0.5.10, 0.5.8, 0.5.9, 0.5.7, 0.5.6 |
| npm | @supersurkhet/cli | 0.0.7, 0.0.6, 0.0.5, 0.0.4, 0.0.3, 0.0.2 |
| npm | @supersurkhet/sdk | 0.0.7, 0.0.6, 0.0.5, 0.0.4, 0.0.3, 0.0.2 |
| npm | @tallyui/components | 1.0.3, 1.0.2, 1.0.1 |
| npm | @tallyui/connector-medusa | 1.0.3, 1.0.2, 1.0.1 |
| npm | @tallyui/connector-shopify | 1.0.3, 1.0.2, 1.0.1 |
| npm | @tallyui/connector-vendure | 1.0.3, 1.0.2, 1.0.1 |
| npm | @tallyui/connector-woocommerce | 1.0.3, 1.0.2, 1.0.1 |
| npm | @tallyui/core | 0.2.3, 0.2.2, 0.2.1 |
| npm | @tallyui/database | 1.0.3, 1.0.2, 1.0.1 |
| npm | @tallyui/pos | 0.1.3, 0.1.2, 0.1.1 |
| npm | @tallyui/storage-sqlite | 0.2.3, 0.2.2, 0.2.1 |
| npm | @tallyui/theme | 0.2.3, 0.2.2, 0.2.1 |
| npm | @tanstack/arktype-adapter | 1.166.15, 1.166.12 |
| npm | @tanstack/eslint-plugin-router | 1.161.12, 1.161.9 |
| npm | @tanstack/eslint-plugin-start | 0.0.7, 0.0.4 |
| npm | @tanstack/history | 1.161.12, 1.161.9 |
| npm | @tanstack/nitro-v2-vite-plugin | 1.154.15, 1.154.12 |
| npm | @tanstack/react-router | 1.169.8, 1.169.5 |
| npm | @tanstack/react-router-devtools | 1.166.19, 1.166.16 |
| npm | @tanstack/react-router-ssr-query | 1.166.18, 1.166.15 |
| npm | @tanstack/react-start | 1.167.71, 1.167.68 |
| npm | @tanstack/react-start-client | 1.166.54, 1.166.51 |
| npm | @tanstack/react-start-rsc | 0.0.50, 0.0.47 |
| npm | @tanstack/react-start-server | 1.166.58, 1.166.55 |
| npm | @tanstack/router-cli | 1.166.49, 1.166.46 |
| npm | @tanstack/router-core | 1.169.8, 1.169.5 |
| npm | @tanstack/router-devtools | 1.166.19, 1.166.16 |
| npm | @tanstack/router-devtools-core | 1.167.9, 1.167.6 |
| npm | @tanstack/router-generator | 1.166.48, 1.166.45 |
| npm | @tanstack/router-plugin | 1.167.41, 1.167.38 |
| npm | @tanstack/router-ssr-query-core | 1.168.6, 1.168.3 |
| npm | @tanstack/router-utils | 1.161.14, 1.161.11 |
| npm | @tanstack/router-vite-plugin | 1.166.56, 1.166.53 |
| npm | @tanstack/solid-router | 1.169.8, 1.169.5 |
| npm | @tanstack/solid-router-devtools | 1.166.19, 1.166.16 |
| npm | @tanstack/solid-router-ssr-query | 1.166.18, 1.166.15 |
| npm | @tanstack/solid-start | 1.167.68, 1.167.65 |
| npm | @tanstack/solid-start-client | 1.166.53, 1.166.50 |
| npm | @tanstack/solid-start-server | 1.166.57, 1.166.54 |
| npm | @tanstack/start-client-core | 1.168.8, 1.168.5 |
| npm | @tanstack/start-fn-stubs | 1.161.12, 1.161.9 |
| npm | @tanstack/start-plugin-core | 1.169.26, 1.169.23 |
| npm | @tanstack/start-server-core | 1.167.36, 1.167.33 |
| npm | @tanstack/start-static-server-functions | 1.166.47, 1.166.44 |
| npm | @tanstack/start-storage-context | 1.166.41, 1.166.38 |
| npm | @tanstack/valibot-adapter | 1.166.15, 1.166.12 |
| npm | @tanstack/virtual-file-routes | 1.161.13, 1.161.10 |
| npm | @tanstack/vue-router | 1.169.8, 1.169.5 |
| npm | @tanstack/vue-router-devtools | 1.166.19, 1.166.16 |
| npm | @tanstack/vue-router-ssr-query | 1.166.18, 1.166.15 |
| npm | @tanstack/vue-start | 1.167.64, 1.167.61 |
| npm | @tanstack/vue-start-client | 1.166.49, 1.166.46 |
| npm | @tanstack/vue-start-server | 1.166.53, 1.166.50 |
| npm | @tanstack/zod-adapter | 1.166.15, 1.166.12 |
| npm | @taskflow-corp/cli | 0.1.29, 0.1.28, 0.1.27, 0.1.26, 0.1.25, 0.1.24 |
| npm | @tolka/cli | 1.0.5, 1.0.6, 1.0.4, 1.0.3, 1.0.2 |
| npm | @uipath/access-policy-sdk | 0.3.1 |
| npm | @uipath/access-policy-tool | 0.3.1 |
| npm | @uipath/admin-tool | 0.1.1 |
| npm | @uipath/agent-sdk | 1.0.2 |
| npm | @uipath/agent-tool | 1.0.1 |
| npm | @uipath/agent.sdk | 0.0.18 |
| npm | @uipath/aops-policy-tool | 0.3.1 |
| npm | @uipath/ap-chat | 1.5.7 |
| npm | @uipath/api-workflow-tool | 1.0.1 |
| npm | @uipath/apollo-core | 5.9.2 |
| npm | @uipath/apollo-react | 4.24.5 |
| npm | @uipath/apollo-wind | 2.16.2 |
| npm | @uipath/auth | 1.0.1 |
| npm | @uipath/case-tool | 1.0.1 |
| npm | @uipath/cli | 1.0.1 |
| npm | @uipath/codedagent-tool | 1.0.1 |
| npm | @uipath/codedagents-tool | 0.1.12 |
| npm | @uipath/codedapp-tool | 1.0.1 |
| npm | @uipath/common | 1.0.1 |
| npm | @uipath/context-grounding-tool | 0.1.1 |
| npm | @uipath/data-fabric-tool | 1.0.2 |
| npm | @uipath/docsai-tool | 1.0.1 |
| npm | @uipath/filesystem | 1.0.1 |
| npm | @uipath/flow-tool | 1.0.2 |
| npm | @uipath/functions-tool | 1.0.1 |
| npm | @uipath/gov-tool | 0.3.1 |
| npm | @uipath/identity-tool | 0.1.1 |
| npm | @uipath/insights-sdk | 1.0.1 |
| npm | @uipath/insights-tool | 1.0.1 |
| npm | @uipath/integrationservice-sdk | 1.0.2 |
| npm | @uipath/integrationservice-tool | 1.0.2 |
| npm | @uipath/llmgw-tool | 1.0.1 |
| npm | @uipath/maestro-sdk | 1.0.1 |
| npm | @uipath/maestro-tool | 1.0.1 |
| npm | @uipath/orchestrator-tool | 1.0.1 |
| npm | @uipath/packager-tool-apiworkflow | 0.0.19 |
| npm | @uipath/packager-tool-bpmn | 0.0.9 |
| npm | @uipath/packager-tool-case | 0.0.9 |
| npm | @uipath/packager-tool-connector | 0.0.19 |
| npm | @uipath/packager-tool-flow | 0.0.19 |
| npm | @uipath/packager-tool-functions | 0.1.1 |
| npm | @uipath/packager-tool-webapp | 1.0.6 |
| npm | @uipath/packager-tool-workflowcompiler | 0.0.16 |
| npm | @uipath/packager-tool-workflowcompiler-browser | 0.0.34 |
| npm | @uipath/platform-tool | 1.0.1 |
| npm | @uipath/project-packager | 1.1.16 |
| npm | @uipath/resource-tool | 1.0.1 |
| npm | @uipath/resourcecatalog-tool | 0.1.1 |
| npm | @uipath/resources-tool | 0.1.11 |
| npm | @uipath/robot | 1.3.4 |
| npm | @uipath/rpa-legacy-tool | 1.0.1 |
| npm | @uipath/rpa-tool | 0.9.5 |
| npm | @uipath/solution-packager | 0.0.35 |
| npm | @uipath/solution-tool | 1.0.1 |
| npm | @uipath/solutionpackager-sdk | 1.0.11 |
| npm | @uipath/solutionpackager-tool-core | 0.0.34 |
| npm | @uipath/tasks-tool | 1.0.1 |
| npm | @uipath/telemetry | 0.0.7 |
| npm | @uipath/test-manager-tool | 1.0.2 |
| npm | @uipath/tool-workflowcompiler | 0.0.12 |
| npm | @uipath/traces-tool | 1.0.1 |
| npm | @uipath/ui-widgets-multi-file-upload | 1.0.1 |
| npm | @uipath/uipath-python-bridge | 1.0.1 |
| npm | @uipath/vertical-solutions-tool | 1.0.1 |
| npm | @uipath/vss | 0.1.6 |
| npm | @uipath/widget.sdk | 1.2.3 |
| npm | agentwork-cli | 0.1.4, 0.1.5 |
| npm | cmux-agent-mcp | 0.1.8, 0.1.7, 0.1.6, 0.1.5, 0.1.4, 0.1.3 |
| npm | cross-stitch | 1.1.7, 1.1.5, 1.1.6, 1.1.4, 1.1.3 |
| npm | git-branch-selector | 1.3.7, 1.3.6, 1.3.5, 1.3.4, 1.3.3 |
| npm | git-git-git | 1.0.12, 1.0.11, 1.0.10, 1.0.9, 1.0.8 |
| pypi | guardrails-ai | 0.10.1 |
| pypi | mistralai | 2.4.6 |
| npm | ml-toolkit-ts | 1.0.5, 1.0.4 |
| npm | nextmove-mcp | 0.1.7, 0.1.6, 0.1.5, 0.1.4, 0.1.3 |
| npm | safe-action | 0.8.4, 0.8.3 |
| npm | ts-dna | 3.0.5, 3.0.4, 3.0.3, 3.0.2, 3.0.1 |
| npm | wot-api | 0.8.3, 0.8.4, 0.8.2, 0.8.1 |
