UPDATE: Mini Shai-Hulud — TeamPCP worm hits TanStack, UiPath, Mistral AI, OpenSearch (160+ package versions)

UPDATE (originally covered 2026-05-10): Between 19:20 and 19:26 UTC on 2026-05-11, TeamPCP's Mini Shai-Hulud self-propagating worm executed its largest campaign to date, compromising 160+ malicious versions across @tanstack/* (42 packages including @tanstack/react-router at ~12M weekly downloads), @uipath/* (60+ packages), @mistralai/*, @opensearch-project/opensearch, @squawk/*, @draftlab/* and @tallyui/*, plus two PyPI packages (StepSecurity analysis, 2026-05-11; TanStack post-mortem, 2026-05-12; Wiz, 2026-05-12; NCSC-CH Security Hub #12558, 2026-05-12).

The novel attack chain (decomposed in § 5) is materially different from the 2026-05-10 SAP-CAP campaign: the operator (voicproducoes, GitHub account ID 269549300) submitted a poisoned PR to a target repository that triggered a pull_request_target workflow, used that privileged workflow to seed a malicious pnpm store into the GitHub Actions cache, then waited for legitimate maintainer merges to main — the release workflow restored the poisoned cache, attacker-controlled binaries extracted GitHub Actions OIDC tokens from /proc/<pid>/mem, and the worm used npm's token-exchange endpoint to publish trojanised package versions with valid SLSA Build Level 3 provenance attestations. The provenance bypass is the most significant evolution — SLSA L3 was the supply-chain assurance many EU public-sector procurement frameworks were starting to rely on, and this campaign demonstrates it is forgeable without abusing the package's own publish step.

Operational delta for defenders: SAP Note #3747787 (HotNews) acknowledges CAP-package impact and ships a clean version list. UiPath impact is the highest-priority public-sector signal — UiPath RPA is widely deployed in Swiss federal e-government automation and EU agency back-offices; review package-lock.json / pnpm-lock.yaml in every UiPath-using pipeline against the StepSecurity / Wiz package-version manifest. Before revoking any GitHub PAT or npm token, sanitise the developer machine first — token revocation triggers the worm's gh-token-monitor dead-man's switch that executes rm -rf ~/ on the affected workstation. Mapped to T1195.002 Supply Chain Compromise: Compromise Software Supply Chain, T1552.001 Unsecured Credentials: Credentials in Files, T1078.004 Cloud Accounts.