The Mini Shai-Hulud campaign is a multi-wave software supply-chain attack affecting npm, PyPI and other package ecosystems. SlowMist’s analysis, “Shai-Hulud Malware In-Depth Analysis: Open Source Means Loss of Control?”, describes Shai-Hulud as a self-propagating credential-stealing worm targeting open-source software supply chains and GitHub Actions CI/CD environments. SlowMist says TeamPCP released source code, used compromised accounts and included deployment instructions, while its technical breakdown identifies collection of local files, GitHub CLI tokens, AWS IMDS/IRSA data, Kubernetes tokens and API secrets.
May campaign hits TanStack, Mistral and Guardrails
The recent wave began on May 11, 2026, when researchers tracked a new Mini Shai-Hulud campaign against TanStack-linked npm packages. Akamai said the May 11 wave used GitHub Actions CI cache poisoning and npm OIDC publishing abuse, then expanded to packages linked to Mistral AI, UiPath, OpenSearch and others. StepSecurity, in a report by Ashish Kurmi published May 11, 2026, attributed the campaign to TeamPCP and said the worm stole CI/CD secrets, read GitHub Actions runner process memory and harvested credentials from more than 100 file paths.
Mistral AI’s official advisory MAI-2026-002, published May 12, 2026, says an automated worm associated with the TanStack compromise led to compromised npm and PyPI SDK versions. Mistral said the compromised npm packages were uploaded on May 11, 2026, at 22:45 UTC and removed on May 12, 2026, at 01:53 UTC; the compromised PyPI release was uploaded on May 12, 2026, at 00:05 UTC and removed at 03:05 UTC. The affected versions were @mistralai/mistralai 2.2.2, 2.2.3 and 2.2.4, @mistralai/mistralai-azure 1.7.1, 1.7.2 and 1.7.3, @mistralai/mistralai-gcp 1.7.1, 1.7.2 and 1.7.3, and PyPI mistralai 2.4.6.
Guardrails AI separately said on LinkedIn that, on May 11, 2026, an attacker compromised an employee’s GitHub Personal Access Token and used it to publish malicious guardrails-ai 0.10.1 to PyPI. Guardrails said researchers identified the package within roughly two hours, PyPI quarantined the repository, and its own review found no evidence of user data exfiltration from Guardrails infrastructure. That statement is specific to Guardrails’ telemetry and does not close the broader supply-chain risk for environments that installed the malicious package.
Indicators, later waves and mitigation
The technical indicators differ by package and wave. Mistral’s advisory says the malicious PyPI package executed on import on Linux, injected code into src/mistralai/client/__init__.py, downloaded https://83.142.209.194/transformers.pyz to /tmp/transformers.pyz, and used indicators including /tmp/transformers.pyz, python /tmp/transformers.pyz, MISTRAL_INIT=1 and outbound traffic to 83[.]142[.]209[.]194. StepSecurity reported a broader npm worm using OIDC token extraction, SLSA provenance abuse, persistence hooks and encrypted exfiltration through the Session Protocol CDN and GitHub GraphQL.
The campaign continued after the May 11 wave. Snyk reported another Mini Shai-Hulud wave affecting the AntV ecosystem on May 19, 2026, from 01:39 to 02:06 UTC, with 637 malicious versions across 323 packages and an estimated 16 million weekly downloads. Snyk attributed that wave to TeamPCP aliases DeadCatx3 and PCPcat, and said the affected packages included size-sensor, echarts-for-react, @antv/scale, timeago.js, @antv/g6 and other AntV packages.
Claims about extortion and ransomware remain analytical, not confirmed outcomes for every affected package. Akamai said TeamPCP had claimed authorship of the Mini Shai-Hulud wave and noted prior reporting that the ransomware group Vect had announced a partnership with TeamPCP, suggesting a possible shift toward extortion and ransomware. That is a threat-intelligence assessment of campaign direction, not proof that each npm or PyPI compromise resulted in ransomware deployment.
Mitigation guidance depends on exposure. Mistral tells users to remove affected versions, check lockfiles, package caches, build artifacts, container images and deployment images, and search Linux hosts for the listed indicators if mistralai==2.4.6 was imported. Guardrails tells users who installed guardrails-ai==0.10.1 on May 11 to follow its remediation steps, while saying users pinned to 0.10.0 are unaffected.
For later npm exposure, Snyk recommends pinning to pre-May 19 versions, reinstalling with npm install --ignore-scripts, rotating credentials and auditing GitHub for injected workflows or dead-drop repositories. Those steps are tied to Snyk’s AntV-wave analysis and should be applied according to the package and timeframe involved, rather than as a generic conclusion that every environment has suffered the same level of compromise.