How Hackers Hijacked OpenAI via TanStack: Mini Shai-Hulud’s CI/CD Nightmare + Video

Listen to this Post

Featured Image

Introduction:

The software supply chain has entered a new era of deception, as attackers no longer steal credentials — they hijack the very trust built into modern development pipelines. The recent “Mini Shai-Hulud” campaign, which compromised OpenAI employee devices and hundreds of npm packages, marks the first documented case where a malicious worm generated valid SLSA Build Level 3 provenance, making infected packages indistinguishable from legitimate releases. This incident shatters the assumption that signed and verified code is safe code.

Learning Objectives:

  • Understand the three-stage CI/CD kill chain used in the Mini Shai-Hulud attack.
  • Identify Indicators of Compromise (IoCs) associated with the TanStack breach.
  • Implement defensive measures against supply chain attacks in GitHub Actions.

You Should Know:

1. How Attackers Weaponized GitHub Actions Trust

The attack against TanStack, which then spread to OpenAI and other major organizations, did not rely on stolen npm credentials. Instead, the attacker exploited a dangerous chain of misconfigurations within the project’s own CI/CD pipeline. The process, executed in just six minutes on May 11, 2026, proceeded as follows:

Step‑by‑step guide explaining what this does and how to use it.

  • Step 1: “Pwn Request” via pull_request_target: The attacker opened a pull request titled “WIP: simplify history build” containing malicious code. GitHub’s `pull_request_target` trigger executes code from a fork within the base repository’s trusted context, granting the forked code access to repository secrets.
  • Step 2: Cache Poisoning Across Trust Boundaries: The forked code poisoned the GitHub Actions cache with a 1.1 GB entry keyed to match the legitimate release workflow. Because `actions/cache@v5` uses a runner-internal token for cache saves, standard permission restrictions (contents: read) do not prevent cache mutation.
  • Step 3: OIDC Token Extraction: When the legitimate `release.yml` workflow ran, it restored the poisoned cache. The injected code read the runner’s process memory via `/proc//mem` and extracted the ambient OpenID Connect (OIDC) token.
  • Step 4: Legitimate Publishing with Malicious Code: Using the stolen OIDC token, the attacker published 84 malicious versions across 42 TanStack packages, all signed as `[email protected]` — indistinguishable from legitimate releases.

Linux Command to Check for Potential OIDC Token Exposure:

 Check runner process memory patterns (forensic analysis)
sudo grep -r "isSecret.true" /proc//mem 2>/dev/null | head -20

2. Detecting Malicious npm Packages with IoC Scanners

After the malicious versions were published, detecting infection became critical. The malware manifests through specific filenames and behaviors. A clean result from these scanners does not prove a host is uncompromised, but they provide a crucial first line of defense.

Step‑by‑step guide explaining what this does and how to use it.

  • Step 1: Use the TanStack Mini Shai-Hulud IOC Scanner (Bash script): This scanner checks for known suspicious files, dependency indicators, persistence artifacts, and running processes associated with the campaign.
    chmod +x scan.sh
    ./scan.sh
    Exit code 0: no IOCs found; Exit code 1: IOCs found
    
  • Step 2: Run the Universal `supply-chain-attack` Scanner (Node.js): This tool scans local package-manager state, including global installs, caches, and Python environments, against an embedded offline snapshot of known malicious packages.
    npx supply-chain-attack
    The CLI prints a verdict and exits non-zero if a risky package is found
    
  • Step 3: Scan Your Environment for IoCs:
  • Known malicious filenames: router_init.js, router_runtime.js, tanstack_runner.js, gh-token-monitor.sh, `setup.mjs`
    – Suspicious dependency strings: @tanstack/setup, `github:tanstack/router`
    – Process names: gh-token-monitor, router_, `tanstack_runner`

Windows Command to Check for Malicious Processes:

Get-Process | Where-Object { $_.ProcessName -match "router|tanstack|gh-token" }
  1. Incident Response: Rotating Credentials in a Compromised Environment

The Mini Shai-Hulud worm’s payload, a ~2.3 MB obfuscated `router_init.js` script, harvests credentials from AWS IMDS, GCP metadata, Kubernetes service-account tokens, ~/.npmrc, GitHub tokens, and SSH private keys, then exfiltrates them over the Session encrypted messaging network. OpenAI confirmed credential-focused exfiltration activity in internal repositories.

Step‑by‑step guide explaining what this does and how to use it.

  • Step 1: Do NOT Immediately Revoke Credentials While Persistence May Be Active: The malware establishes persistence via Claude Code hooks and VS Code auto-run tasks. Premature revocation can trigger destructive behavior, including home directory deletion attempts.
  • Step 2: Isolate the Host: Disconnect the host from untrusted networks.
  • Step 3: Stop Suspicious Processes and Remove Persistence:
  • Linux/macOS: `pkill -f “gh-token-monitor|router_init|tanstack_runner”`
    – Windows: `taskkill /F /IM node.exe` (if malicious Node.js processes are detected)
  • Step 4: Rotate All Accessible Credentials from a Clean Machine: This includes AWS, GCP, Kubernetes, Vault, GitHub, npm, and SSH credentials.
  • Step 5: Reinstall Affected Dependencies from Known-Good Versions:
    Check for compromised versions
    npm list @tanstack/react-router
    Upgrade to a safe version (e.g., 1.114.5 or later)
    npm install @tanstack/react-router@latest
    

4. Hardening CI/CD Pipelines Against Future Attacks

The attack exploited known GitHub Actions design issues, not bugs. Defending against such threats requires proactive reconfiguration. StepSecurity’s Harden-Runner agent, for instance, uses eBPF to monitor every outbound network call, file write, and process execution in CI/CD runners.

Step‑by‑step guide explaining what this does and how to use it.

  • Step 1: Restrict `pull_request_target` Workflows: Replace `pull_request_target` with `pull_request` where possible. If unavoidable, add explicit approval gates.
  • Step 2: Implement Cache Isolation with restriction-keys: Prevent cache poisoning by using unique cache keys that incorporate the pull request author.
  • Step 3: Disable Unnecessary Lifecycle Scripts: Use `npm install –ignore-scripts` to prevent execution of preinstall, install, and `postinstall` hooks during CI.
  • Step 4: Enforce Least Privilege for OIDC Tokens: Limit `id-token: write` permissions to only the specific jobs and workflows that require them.
  • Step 5: Monitor for Cache Poisoning and Memory Scraping: Deploy runtime protection agents that can detect unauthorized memory access patterns.

Example GitHub Actions Workflow Hardening Snippet:

jobs:
build:
permissions:
contents: read  Read-only for most jobs
id-token: none  Disable OIDC unless absolutely required
steps:
- name: Install dependencies safely
run: npm ci --ignore-scripts

5. Understanding the Worm’s Self‑Propagation Mechanism

What makes the Mini Shai-Hulud campaign particularly dangerous is its ability to self-propagate. After execution, the malware enumerates other packages the victim maintains via `registry.npmjs.org/-/v1/search?text=maintainer:` and republishes them with the same injection. This worm-like behavior allows a single compromised developer to spread the attack across entire ecosystems.

Technical Deep Dive:

  • Exfiltration Network: Data is exfiltrated to `filev2.getsession.org` using the Session peer-to-peer messaging network, making blocking by IP/domain the only network mitigation.
  • Fallback Exfiltration: Encrypted data is committed to attacker-controlled repositories under the name `[email protected]` via the GitHub GraphQL API.
  • Persistence: The malware injects two malicious GitHub Actions workflows to serialize repository secrets and upload them to api.masscan.cloud.

What Undercode Say:

  • The Trust Mirage: Valid signatures and provenance attestations no longer guarantee safety. Attackers have weaponized the very mechanisms designed to secure the software supply chain, shifting the trust boundary from “signed = safe” to “signing pipeline integrity = safe.”
  • CI/CD Is the New Perimeter: Defenders must treat CI/CD pipelines as high-value targets requiring runtime protection, not just pre-commit checks. The Mini Shai-Hulud attack succeeded by exploiting implicit trust in GitHub Actions’ design, not by cracking passwords or stealing static API keys.

Prediction:

The public open‑sourcing of the Shai-Hulud code by TeamPCP has dramatically lowered the barrier for copycat attacks. In the coming months, expect a surge in supply chain attacks that leverage OIDC token extraction and valid provenance attestations. Organizations that fail to implement runtime protection and cache isolation in their CI/CD pipelines will face repeated, undetectable compromises. The era of “trust the build system” is over — the build system itself is now the battlefield.

▶️ Related Video (88% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Cybersecuritynews Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky