Supply Chain Attack Poisons 172 Packages with Valid Provenance
A supply chain attack dubbed Shai-Hulud compromised 172 npm and PyPI packages across 403 malicious versions starting May 11, affecting over 518 million cumulative downloads. The worm exploits a chain of three vulnerabilities in TanStack's CI/CD pipeline to publish packages with valid SLSA Build Level 3 provenance attestations, then installs persistence mechanisms that survive package removal and steal credentials from over 100 file paths, including AI agent configurations and password managers. The attack demonstrates that provenance signatures and 2FA alone do not prevent compromise if OIDC scope is misconfigured to trust an entire repository rather than specific workflows.
TL;DR
- →172 npm and PyPI packages poisoned with valid provenance signatures starting May 11, affecting 518 million cumulative downloads including @tanstack/react-router at 12.7 million weekly downloads
- →Worm harvests credentials from AWS keys, SSH keys, npm tokens, GitHub PATs, password managers (1Password, Bitwarden), AI agent configs, and cryptocurrency wallets, then installs persistence in project files and system daemons that survive package removal
- →Attack chains three vulnerabilities: fork-based code execution via pull_request_target, poisoned GitHub Actions cache, and overly broad OIDC scope that trusts entire repository instead of specific workflows, enabling direct registry POST with valid tokens
- →PyPI variant executes on import rather than install, bypassing npm mitigations like lockfile enforcement and --ignore-scripts flag, with mistralai package v2.4.6 downloading payloads disguised as Hugging Face Transformers
Why it matters
This attack exposes a critical gap in the security model for AI development tools and agent infrastructure. The compromise of AI agent configurations and MCP server tokens means attackers can hijack Claude, Kiro, and other AI agents to access external services and data. The persistence mechanisms that survive package removal and the ability to extract secrets from CI runner memory demonstrate that current supply chain defenses, including provenance attestations and 2FA, create a false sense of security when OIDC scope is misconfigured.
Business relevance
Development teams using affected packages face immediate credential compromise across their entire infrastructure, including cloud accounts, container registries, and AI service integrations. The three-hour window before detection and the cross-platform nature of the attack (npm to PyPI within hours) mean many organizations likely have compromised credentials in production systems. Operators must assume any development environment that touched these packages is potentially compromised and treat credential rotation as urgent, not optional.
Key implications
- →OIDC trusted publishing and provenance attestations provide no protection against repository-level compromise if OIDC scope is not restricted to specific workflows on specific branches, making scope configuration the actual security control that matters
- →AI agent configurations and MCP server tokens are now high-value targets for supply chain attacks, requiring separate credential management and monitoring for AI-specific attack surface
- →Python import-time execution bypasses npm-specific mitigations like lockfile enforcement and --ignore-scripts, requiring language-specific defenses and runtime monitoring across polyglot development environments
- →Persistence mechanisms installed outside node_modules and package directories survive standard remediation, necessitating full system audits and reimaging rather than simple package removal
What to watch
Monitor for updates to OIDC configuration best practices and tooling that enforce workflow-level scope restrictions rather than repository-level trust. Watch for similar attacks targeting other high-download packages in npm and PyPI ecosystems, particularly those used in AI development pipelines. Track whether package registries implement additional runtime checks or sandboxing for packages with valid provenance to catch poisoned builds before they reach developers.
vff Briefing
Weekly signal. No noise. Built for founders, operators, and AI-curious professionals.
No spam. Unsubscribe any time.
