Shai-Hulud is Back: TanStack & Mistral AI Breach by TeamPCP Mini Worm

Added: 2026-05-17

[00:00:01]Hello everyone and welcome to another episode of bad dependencies. I am here and joined by researcher extraordinaire.

[00:00:08]I haven't said that in a long time but Charlie Ericson. Charlie, how you doing?

[00:00:12]>> Uh I am alive and yeah that's it's about as good as we'll go for today. I think >> it's the ironic thing is that every time you come on to this podcast is like where the big breach or like where did the big attack is happening. So it's like every time it's kind of like you're stressed, you haven't slept much, you're kind of going through it. So I feel like the view is Charlie's really nice. He's a lot of fun. He's a lot of fun, too.

[00:00:38]But it just happens to be that when we talk to each other in this setting, it's usually not the greatest of of situations.

[00:00:45]>> It it it either means we need to do more episodes of this podcast or we should not be doing episodes at all. I don't know which one it is.

[00:00:53]>> Well, we're here. Uh, we do have new thingies to talk about.

[00:00:58]>> We have new little wormy friends coming out. Worms are the latest trend at the moment. So, do you know what? I'm going to uh I'm going to shut up for for a little bit. I'm going to hand it over to you and maybe if you just give us a rundown. What's >> what's going on with our thread actor friends over there and uh what's what's the latest?

[00:01:18]>> Yeah. So, when you say worms, I was like, "Oh, wait. Actually, I think it was Sunday evening or was it Monday evening? I found like a little wormy friend. Somebody was putting up like a little test package. It was a rustbased worm. Didn't really spread. And I wake up this morning. Yeah. So, it was yesterday night. And I wake up to the news of team PCP having compromised uh TANS stack and some other big packages.

[00:01:48]And uh yeah, that that's been a a busy day.

[00:01:53]>> So let's start with how do we like I I always kind of want to start with like how how was the packages compromised?

[00:02:02]And it's typically pretty much the same old story, but just for new listeners for that, what do we think has happened here? How did they gain access into this package?

[00:02:13]So it was unfortunately our good old friend the pull request target workflow.

[00:02:20]Uh so a pone request. uh they were able to the evidence we have was that already two days ago they were testing out how they're going to exploit this and then last night uh they pulled the trigger and compromised all the packages through this pull request target combined with a cache poisoning vulnerability uh that they leveraged to basically compromise and get the credentials for the Tanstack.

[00:02:48]>> Is is this inside GitHub actions?

[00:02:51]This is inside GitHub actions. Yeah. And they even so they actually in this version of the payload they also had a list of the packages they were going to compromise and some magic to do the OIDC signature store all that kind of uh trusted publishing stuff to go through the official pipeline.

[00:03:12]>> Why why is this package a particularly big deal? what ecosystems does it kind of does it does it play in and kind of how how popular with it and and who are the people that use it? Um, Tanstack is one of those uh kind of stacks that are getting really popular, right? You had Angular for a while. You've had React and React sort of based stacks. And I think Tanstack is one of those um pieces of the ecosystem that's become really popular. It's one of these like batteries included kind of frameworks or stacks. They've been getting some adoption especially from the AI, right?

[00:03:49]They have an AI module and all these kind of things. So, it's a kind of full stack.

[00:03:56]Yeah, stack.

[00:03:58]Um, yeah. Um, I I personally thought about using it in the past. It looks really cool. So, yeah, it's gotten it's gotten quite popular uh over the last couple of like a little while at least.

[00:04:11]>> Then then what happens basically is is this it? It's like, okay, 10 stacks compromised.

[00:04:16]Malicious versions would move on with a day or has this had some other kind of flow on effects.

[00:04:22]>> Yeah, it it has. Right. So, this is a wormy worm. The worm's going to worm.

[00:04:27]Um, so there was a bunch of scopes uh that kind of got compromised for this.

[00:04:33]And I think the most important one was Mistral AI.

[00:04:37]>> Mhm. Um, and what is interesting about that one specifically is that besides the fact that it's Mistral, um, when I looked at the EV like kind of the packages that we have captured from it, it was very clearly community spread and the timeline actually makes it so that you could see that it was one specific developer from their team that was compromised on his local machine and then the package that were published as a result were in the name of another developer on the Mistral team, which means that basically this guy has had the npm credentials for another team member to publish to production, which is kind of interesting.

[00:05:24]>> Yeah.

[00:05:24]>> Uh but also then a couple of hours later, what we see is team PCP uh going in and actually deploying another payload inside of the Mistral uh repos.

[00:05:38]to u steal further credentials. So we uh know that uh these guys now have credentials also for Mistral that they could continue to potentially leverage, >> right? Okay. So we're probably going to see this moving on. Was was the developer that was compromised from mistrule did that look like it comes from the tan stack compromise like this is a flow a direct flow on from that?

[00:06:05]So we we don't have any way of telling because these um blobs are now encrypted unlike the original Shy Hulude, >> but most likely this is the case, I would think. Uh there are some other packages that could have been, but they're nowhere near as popular. So I I would assume that this is it.

[00:06:25]>> Yeah.

[00:06:26]>> Yeah.

[00:06:27]And I mean if people aren't familiar with the Shahalude, so this is this is a copycat of the original Shahalude worms.

[00:06:34]for there was multiple versions but different thread actors that who created the first Shahalude worms and and basically >> what made Shahalude uh very unique was that it would compromise it the attackers would compromise a package and they would put malware in there with the logic that would enumerate for credentials for secrets and things and then publish them to a git repository using stolen GitHub credentials and that git repository was public and inside that public git repository was all these secrets. They were encoded in B 64, but they were there. They were real secrets. Uh the variation, the mechanism works very similar, but the variation that we're dealing with now is essentially that uh instead of encoding them in B 64, they're actually encrypted. So, this gives us like there's good and bad in that. It gives us researchers like yourself a little bit less visibility into, you know, who exactly has been compromised, what keys were stolen, etc., etc. Um, but it does mean that the kind of public knowledge of secrets is is smaller. I don't know if it's better or worse, to be honest. I think it's all just pretty terrible.

[00:07:45]>> Yeah. And also something that happened just like a couple hours ago was actually they decided to open source worm. They put out a GitHub repo, a couple of git repos with the original source code >> for the worm.

[00:08:02]Um, and of course the worm is also slightly different this time. There are some new features and things like that.

[00:08:07]we see the return of a dead man switch uh where if anybody was to try to go and uh revoke the uh credentials for GitHub so that you couldn't actually leak their secrets uh it would wipe the machines of the user and they actually install a persistence mechanism that will keep checking and wipe the machine once the exploration mechanism goes away. Uh, we also see a um a probabilistic thing where if your machine is in Israel or Iran, I think it was a one in six chance on execution that would just wipe your machine.

[00:08:46]>> Oh god. So, so the threat actors in this latest attack we're trying team PCP but otherwise it's getting confusing. So TPCP in this case have open sourced the mechanism and source code for their shahalude worm variant. Is that is that right?

[00:09:06]>> Yes.

[00:09:06]>> Well that's fun.

[00:09:09]>> Yes.

[00:09:11]>> Oh good old times. Good old times. And so >> Mistl has been compromised. Are we seeing this kind of impact now? So typically with these things we're we're we're able to spot GitHub repositories um being created. Are we still seeing new GitHub repositories being created with you know encrypted blobs in them?

[00:09:31]Uh has this calmed down? Uh and then what's what do we kind of expect is the motivation behind there. But let's start with are we what's happening now? We is it is it stopped now or is it still ongoing?

[00:09:44]>> It hasn't stopped. I mean, there's still a very slow trickle coming through from what I've I've seen, like a couple of an hour. Uh, but it's nowhere near as bad as it could be. And I think that's one of the things that I'm very positive about in this situation. Actually, I think the spread, it's really unfortunate that Mistrol of all got hit, right? Because Mistl is really popular.

[00:10:10]uh but we are not seeing anywhere near as much spread as we did with the original shy hulu attacks and I think that's a big uh credit in some way to npm and and GitHub for having actually done a lot to try to reduce the exposure of longived tokens but I still think there's a lot more that can be done because the fact that mistrol was hit I think is a is a failure in terms of how we do secrets and tokens and credentials as a part of our infrastructure.

[00:10:42]>> And just to kind of dive into what you're talking about with long live tokens is you we started this podcast a year ago and um one of the issues uh was that a lot of developers would have these npm tokens where you could publish to npm that just never really expired, right? Or they had super long lifespans.

[00:11:01]And this is because they were used in mechanisms, you know, like maybe you had them in your GitHub action or GitHub secrets so that they could push to npm.

[00:11:10]So you kind of you didn't want to have to upgrade them all the time or the other various various reasons. But that has been significantly kind of improved on the npm on the npm side. Is that is is that am I remembering correctly?

[00:11:24]>> Yes, that's correct. Uh they did a lot of improvements there.

[00:11:28]>> Yeah. And that's been great because now when they've stolen these credentials often they're they're they're non-usable. They're expired. Um but not in all cases, right? So it's it's definitely showing that yeah, we're far from from other works. What like when it comes to to these attacks and this latest one, what do you think the uh the motivation is? Now there's obviously financial motivation in here, but how are they extorting companies?

[00:11:55]How are they using what they do? I mean, there's some impossible questions to answer cuz we don't know like what's happening. But just in terms of indicators, murmurings you've heard in the in the in the in the quiet realms where you live sometimes, Charlie, what what has what has been going on?

[00:12:15]So my big understanding is that they are more or less trying to sell or basically take a cut off the gains by selling sharing the credentials and stuff that they get with other groups like kind of the shiny Lapsis like Hunter kind of named groups.

[00:12:37]>> Yeah.

[00:12:38]>> And Vector and things like that.

[00:12:40]>> Yeah. Yeah. So because we did see them teaming up. I thought lapsis had disappeared. Like I thought there was a bunch of teenagers in the UK that got arrested. I was like, "Oh, that's lapsis done." Now they have like they've reappeared recently. So another like that's I thought they would just be consulting for McKenzie or something right at this point out been slapped on the rest onto onto six figure jobs, but apparently not. Apparently they're still uh still causing havoc.

[00:13:07]>> Yep. Uh I mean uh shiny hunters have been causing a lot of havoc here in the Netherlands for instance right they they did oido uh a little while ago which still sort of in the news a lot uh locally here I've heard a lot of noise about the whole canvas thing in structure right basically this LLM LMS um that is used by universities all over the world it's really caused a lot of uh chaos >> yeah yeah so we're and it kind touches on a part of this dark ecosystem that you have of selling, you know, access and credentials. Uh because yeah, this is this this this this kind of comes down to like the scary world that we live in where a lot of the times, you know, you may have been impacted by one of these breaches and then nothing kind of happens and you think you get away over it and then two weeks later, you know, you get pinned because the developer token that was stolen from your machine has now been sold to another threat actor with potentially more malicious intent. And you know, there's various different types of threat actors out there. There's some that are craving attention. There's some that are strictly politically motiv motivated. There's some that are financially motivated. There's some that's a little bit of everything, you know, but uh the ones that have the really nasty intent, you know, I I can imagine that access credentials from this, you know, may be very very juicy targets uh for them. So, it can lead into something quite terrifying.

[00:14:37]>> Yeah, for sure.

[00:14:39]So, uh I guess like moving on on onto this, what do you think is going to is going to kind of be the be the outcome uh from this? You know, using the credentials that they have, can we expect to see more little worby friends pop up in the next couple of of couple of weeks or can we kind of be hopeful that potentially with the actions that GitHub and npm have been doing that you know this may be a reduced impact?

[00:15:06]I think what we will continue to see I mean it's undeniable that they will have gotten more credentials uh more access from this. I mean this was a really big hit.

[00:15:16]>> I think we were maybe a little bit lucky with the timing, right? It happened in a time zone that is like the like the sort of time of day that is like the least active, right? There's very few people that are actually doing development in that time. We can see from all our stats. So, but they have a way of getting into more systems constantly. They have uh I'm sure sitting on a big cache of credentials that they are just taking the time to shift through.

[00:15:47]>> Yeah.

[00:15:47]>> So, will there be more? Yeah, inevitably there is no reason to believe that they want.

[00:15:55]And we basically are just in a situation where we have to respond to it as quickly as possible, which I I'm very happy to see that we are actually catching these really quickly, right?

[00:16:05]We're not in a similar situation as we were like late last year where >> Yeah.

[00:16:09]>> getting anything done is taking hours and hours and hours, right? It's it's it's getting handled pretty quickly now.

[00:16:17]>> Yeah. Yeah. That that it is. And the average time this this kind of blows my mind about these stats, too. And it goes to show what a fight we're up against because uh you know if you think to yourself, the listeners, if you're listening to this, you think to yourself, how long does a package stay malicious for? So thread actors have just compromised developer tokens and they've put malware into a package and it's on npm. How long until that package gets reverted back? I want you to think for a moment.

[00:16:50]Charlie's going to give you the answer in a minute because I don't really know.

[00:16:53]I have an idea, but I don't I don't actually know. But have a think like how long do you think that would be? And it's probably not going to be the correct answer. So, Charlie, on average, when we're seeing these kind of high-profile breaches because there may be there may be weird use cases of kind of dependency confusion, vulnerabilities or something, but uh how long do do these stay active for in a high-profile supply chain attack?

[00:17:17]>> So, I don't have the exact numbers, but my my gut right now says less than two hours. Oh, that's >> on average. I think that's that's pretty. Yeah, I think Pi is a little bit faster on average, but I think what in in the last couple of attacks that we've seen, I think we're talking about a couple hours max >> and in those couple of hours like the like it's insane the kind of spread that you can have and you can see it, right?

[00:17:42]We've already had this big community community spread into other areas.

[00:17:47]Perhaps not as big as last year, but still still ginormous. And then when you think about the the fact that um you know a CVE will be created for this in probably a week maybe two weeks like that's when the CVE number is going to pop up. So if you're using his SCA tool and expecting to be saved from this you know like you're off by a matter of like days and days.

[00:18:08]>> Uh so it just shows the the speed of which we need to to to react to. Uh and this leads me to a point Charlie. What's some concrete steps that people can do?

[00:18:19]Let's say you're an organiza organization, you're using, you know, one of these packages. Um, you're a bit worried for the future. What are some concrete steps that you can put in place um to actually kind of prevent prevent this type of of attack and going through?

[00:18:37]>> Yeah, I think the biggest thing that everybody can do is that they need to use uh a package manager that supports things like cooldowns. And I think they basically all of them support it now, right? I think the latest version of um like u npm does it for sure. Uh PNPM has done it for a long time. Bun does it all those kind of things. Uh so definitely use a cool down as a default on your package manager and set it to like 24 hours, right? If you want to be really paranoid, 48 hours.

[00:19:12]>> Uh that's a really big thing. Uh I think the other thing that is becoming more important now we saw this happen a little bit last year with Shahulude some of the original Shahul um attacks was this use of ex what they're calling exotic dependencies.

[00:19:31]So when you have a dependency on npm uh right you're generally referencing an npm package but you can also prefix it for instance with like GitHub >> and in that case it points directly at a GitHub repo at a specific commit which you can do this whole uh commit confusion impostor commit kind of thing with also um so we are seeing like the attack yesterday they instead of shipping well I there was some versions that shipped the whole bind like package, but in one of the attacks they basically used a exotic dependency so that you didn't have to put in the full whatever several meg payload into the package and at least PNPM has an ability for you to block exotic dependencies.

[00:20:20]Personally, I think it makes no sense for you to allow them like >> right.

[00:20:26]Wow, what a cherry little thing to exotic dependencies where like there is to no end it doesn't amazes me the creativity of this because just when you think you're kind of getting the hang of something you know >> creativity will always prevail with these types of >> Absolutely.

[00:20:44]>> Yeah. Yeah.

[00:20:45]>> Yeah. Um, and I'm going to do a quick plug here, otherwise you know, our marketing team will get mad at me, but uh, Aikido Security, we've just released our developer device protection if you want to get on top of that. I'm not going to do plug too much of a plug, but you should check that out if you want to get on top of that. All right, job done.

[00:21:02]We still have a job tomorrow, Charlie.

[00:21:05]>> Yeah, and I mean to be honest, right, uh, we are doing really cool stuff. Uh, we just added another ecosystem. It starts with H. You can figure out which one it is. Uh I just saw it starting rolling in today. Quite excited about it.

[00:21:18]>> Um yeah. Um it's it's there's a lot of good reason to use it. Like uh if you're using an old version of a lot of the package managers, we add it on top.

[00:21:29]>> Yeah. Awesome. Awesome. Well, like Charlie, I want to thank you for walking us through this. I'm going to let you go. Uh but uh yeah, I hope you have a little bit of sleep. Um uh and most importantly I hope you have canceled all your holidays for the year because we can't afford to have you away. So other than that which I'm allowing you to sleep for eight hours but like weekends are off.

[00:21:53]>> Thank you.

[00:21:54]>> I just saw another great researcher that's in this space as well. Ramy McCarti uh who's a who's a who's a great friend. I just I noticed he was allowed to go on a honeymoon recently and there was a bunch of attacks in that period.

[00:22:07]So, I don't I don't know who authorized that, but don't even get any ideas, Charlie.

[00:22:12]>> No. Yeah. No. I I saw a message from him like when he was on his honeymoon going, "Have fun y'all. I'm on my honeymoon."

[00:22:17]They're like, "Damn you. That's It's a good reason to get married, eh?"

[00:22:24]>> So, we have strictly no marrying policy at Aikido. No, I'm kidding. I'm kidding.

[00:22:28]Anyway, I I actually need to go because I'm rambling now. But, thanks everyone for listening. Make sure you subscribe to the channel. We're going to be doing a whole lot more of these episodes now because we have a whole bunch more researchers doing really cool stuff. So, we're not just gonna be talking about malware. We're gonna be talking about a whole bunch of other cool things. We have an episode coming out about the fact that Google API keys don't really get deleted after you delete them for a certain period of time. So, if you want to learn about that, subscribe to the subscribe to the channel and that'll be the next episode. All right, Charlie.

[00:22:56]Thanks for hanging out.