Between 19:20 and 19:26 UTC on May 11, 2026, a threat actor known as TeamPCP pushed 84 malicious package versions across 42 packages in the @tanstack namespace using TanStack's own legitimate release pipeline. The attacker never needed to steal a password. They extracted the publishing token directly from the GitHub Actions runner's process memory at runtime—reading /proc/*/mem mid-workflow—and used it to publish malware signed with valid SLSA Build Level 3 provenance attestation. That last part is not a typo. For the first time in documented history, a malicious npm package carried a cryptographic certificate from Sigstore verifying its legitimacy. The tool designed to restore trust was weaponized to launder it.

How the Attack Chain Worked

The operation began May 10 when the attacker forked TanStack/router as 'zblgg/configuration'—a name chosen specifically to avoid fork-list searches. A malicious commit prefixed with [skip ci] impersonated the Anthropic Claude GitHub App, authored as claude claude@users.noreply.github.com. When a pull_request_target workflow ran on this PR, it executed attacker-controlled code that injected a poisoned pnpm store into the GitHub Actions cache. The legitimate maintainer later merged their own PR to main, which triggered the release workflow and restored the contaminated cache. At 19:20 UTC, with valid OIDC credentials now extracted from runner memory via direct /proc filesystem access, publishing commenced. By 19:26 it was complete. TanStack/react-router alone has 12.7 million weekly downloads.

The Worm Propagated to Mistral AI, UiPath, and Over 170 Packages

The payload's design followed the Dune reference in its name: Shai-Hulud spreads through ecosystems by becoming part of them. Within hours, the infection chain had compromised Mistral AI's official npm SDK, UiPath, Guardrails AI, OpenSearch, and at least 170 packages across both npm and PyPI. Total cumulative downloads exceeded 518 million. The malware exfiltrated stolen credentials through three redundant channels: a typosquat domain (git-tanstack.com), the Session decentralised messenger network, and GitHub API dead drops embedded in commit messages. A persistent daemon polled GitHub every 60 seconds—delete the publishing token and it would execute 'rm -rf ~/' on the compromised system.

Geopolitical Logic Embedded in Malware

The payload included a one-in-six probability of executing 'rm -rf /' on systems geolocated to Israel or Iran. It also checked for Russian-language system configuration and terminated without exfiltrating data if found. Someone is making geopolitical decisions inside a JavaScript package manager, which raises questions about TeamPCP's actual sponsors that the security community has not yet answered definitively. StepSecurity confirmed Intercom's official Node.js SDK was compromised at 14:41 UTC on May 12—36 hours after the initial TanStack attack—via a hijacked OIDC publishing pipeline harvested from yesterday's victims.

This Campaign Has Been Running Since September 2025

Wave 4 is not an isolated incident. Wave 1 hit chalk, debug, and 16 packages in September 2025 with 2.6 billion weekly downloads via maintainer phishing. Wave 2 introduced the self-propagating worm concept and its dead man's switch architecture in November 2025. Wave 3 compromised security tooling itself—SAP packages, Bitwarden CLI, Aqua Security Trivy, and Checkmarx—in April 2026. Each wave builds on lessons from the last. The npm ecosystem reported 454,648 new malicious packages in 2025 and blocked 120,612 attacks in a single quarter. The average npm project pulls in 79 transitive dependencies that no developer explicitly chose to trust.

SLSA Provenance Was Supposed to Be the Answer

SLSA (Supply-chain Levels for Software Artifacts) Build Level 3 provenance attestation is the current gold standard for supply chain integrity, generated automatically by Sigstore during legitimate builds. The certificate said: this package was built from a trusted source using a trusted pipeline. TeamPCP defeated it not by forging certificates but by compromising the pipeline itself before the build occurred—poisoning the GitHub Actions cache that the release workflow would later restore and trust. This is an architectural vulnerability in how modern CI/CD systems handle caching, one documented since 2024 but not yet patched across most workflows.

The XZ Utils Precedent Nobody Learned From

The structural problem predates TeamPCP. In February 2024, the XZ Utils backdoor (CVE-2024-3094, CVSS 10.0) shipped in version 5.6.0 with malicious code hidden not in source repositories but in compiled tarballs—code that would activate only under specific conditions: Debian or Fedora, systemd linked against the library, x86–64 hardware. The operation ran for two years and three months before Andres Freund noticed SSH authentication was 500 milliseconds slower than normal and investigated out of annoyance. A state-level actor with patience mapped critical Linux infrastructure and found its load-bearing weakness: a burned-out solo maintainer under social pressure.

What Actually Needs to Change

The npm ecosystem is not ungovernable—it is ungoverned, which are different problems. Security advisories that do not produce workflow changes are documentation of future incidents; GitHub published the pull_request_target cache poisoning attack pattern in 2024 while TanStack was still running it in 2026. The OpenSSF and Linux Foundation have funding mechanisms but lack a reliable dependency graph showing which packages are structurally critical to global software supply chains. EU Cyber Resilience Act (2024) begins establishing liability for software products but does not yet cover open source maintainers meaningfully. As The Register noted: 'running everyday commands like npm install is unsafe, and software development is now best done in isolated, ephemeral environments.' That is no longer a fringe security opinion.

Key Takeaways

  • TeamPCP extracted OIDC tokens directly from GitHub runner process memory (/proc/*/mem), bypassing the need for stolen credentials entirely
  • 84 malicious packages carried valid SLSA Build Level 3 provenance attestation, defeating the current gold standard for supply chain integrity
  • The attack exploited pull_request_target workflow vulnerability (documented 2024) via poisoned GitHub Actions cache injection
  • Self-propagating worm architecture has now hit security tooling, AI SDKs, and infrastructure packages across npm and PyPI

The Bottom Line

The open source trust model was designed for a world where defection was individually irrational—where contributing good code was the dominant strategy. TeamPCP, Jia Tan, and every actor in between have proven that assumption wrong at industrial scale. Until funded maintainership, regulatory liability frameworks, and pipeline hardening replace vibes-based security governance, npm install will remain a calculated risk, not a trusted operation.