On May 11 between 19:20 and 19:26 UTC — a six-minute window — 84 malicious npm package artifacts shipped from TanStack's legitimate release pipeline carrying valid SLSA Build Level 3 provenance attestations. Sigstore certificates correctly attested that the packages were built and published by the official release.yml workflow running on refs/heads/main in the TanStack/router repository. Every cryptographic check passed. Every signature verified. And every package was malware.
By end of day, the worm had jumped to 170 packages across npm and PyPI, including the official Mistral AI TypeScript and Python SDKs, the OpenSearch JavaScript client, 65 UiPath packages, and Guardrails AI. Cumulative download volume in the blast radius: 518 million installs. Weekly download exposure: nearly 180 million. The threat group TeamPCP, tracked by StepSecurity and detailed in Snyk's post-incident analysis, encrypted the stolen credentials and exfiltrated them through the Session decentralized messaging network — traffic indistinguishable from encrypted chat telemetry. NIST assigned CVE-2026-45321 with a CVSS 9.6 critical score.
The strategic story matters more than the tactical one. For three years, the entire enterprise supply chain security industry has been telling CISOs that SLSA provenance and Sigstore signatures would solve the SolarWinds problem. As The Hacker News reported, this is the first documented npm worm producing validly attested malicious packages. The attestation framework worked exactly as designed. The packages were genuinely built by the authorized workflow. The workflow itself was the attack surface.
That distinction is the headline. Every enterprise security architecture built on "trust the signature" just inherited a multi-million dollar gap.
What Changed
The TanStack compromise chained three known-but-underestimated GitHub Actions weaknesses into a single end-to-end attack. Snyk's forensic writeup and Wiz's technical breakdown document each stage in detail.
Stage 1 — Pwn Request. An attacker created the fork zblgg/configuration and opened a pull request with a commit authored as claude@users.noreply.github.com — chosen specifically to blend into the noise of legitimate Claude Code commits that TanStack maintainers see every day. The PR triggered the bundle-size.yml workflow, which used the pull_request_target trigger to check out the fork's merge ref. That trigger pattern grants base-repository write context to fork-controlled code. Every security checklist for GitHub Actions has warned about pull_request_target for years. Most enterprises still use it.
Stage 2 — Cache Poisoning. The malicious code dropped a poisoned vite_setup.mjs and saved a 1.1 GB pnpm cache entry at 11:29 UTC using a pre-computed cache key matching the legitimate release pipeline. The cache sat dormant for eight hours. When a maintainer triggered the real release.yml workflow that evening, GitHub's cache system served the poisoned store transparently.
Stage 3 — OIDC Token Extraction. The poisoned cache executed memory-scraping code first documented in the March 2025 tj-actions compromise. It located the Runner.Worker process via /proc/*/cmdline, then read /proc/<pid>/maps and /proc/<pid>/mem to extract the OIDC token from the worker's address space. With that token, the malware published directly to npm — and because the publish event genuinely originated from the authorized workflow, Sigstore issued valid SLSA Build Level 3 attestations.
The payload itself is industrial-grade. A 2.3 MB router_init.js file ran through three obfuscation layers: JavaScript Obfuscator string-array rotation, a Fisher-Yates substitution cipher with PBKDF2-SHA256 at 200,000 iterations, and AES-256-GCM-encrypted blocks requiring the Bun runtime to execute. Credential targets included GitHub Actions secrets, AWS static keys and IMDSv2 metadata, HashiCorp Vault tokens, Kubernetes service accounts, SSH private keys, and — notably for AI shops — ~/.claude/projects/*.jsonl session logs containing the actual code and commands developers ran through Claude Code.
Persistence was equally aggressive. The malware installed hooks in .claude/settings.json (executing on every Claude Code tool event) and .vscode/tasks.json (running on workspace open), plus a system-level gh-token-monitor.service on Linux and matching LaunchAgent on macOS. That daemon polled api.github.com/user every 60 seconds. If it detected the compromised token had been revoked, it executed rm -rf ~/ — a dead-man's switch designed to destroy evidence and inflict business damage on victims who responded to incidents.
The worm then propagated. It queried registry.npmjs.org/-/v1/search?text=maintainer:<username> to enumerate packages owned by victims whose tokens it stole, republishing each with the same router_init.js injection and freshly forged SLSA attestations. That mechanism is how Mistral AI ended up shipping malicious mistralai@2.4.6 packages to PyPI, and how UiPath's 65 enterprise automation packages joined the campaign by the next morning.
Why This Matters
The technical story is interesting. The board-level story is harder.
For CIOs and CISOs. IBM's 2025 Cost of a Data Breach Report put the average supply chain breach at $4.91 million with a 267-day mean lifecycle — the longest of any breach vector tracked. Verizon's 2025 DBIR reported third-party-involved breaches doubled year over year, from 15% to 30% of all incidents. Sonatype's 2026 State of the Software Supply Chain Report identified 1.23 million cumulative malicious open source packages across npm, PyPI, Maven, NuGet, and Hugging Face, with 454,600+ newly identified in 2025 — a 75% year-over-year jump. The trajectory was already vertical before TeamPCP demonstrated SLSA bypass. Cybersecurity Ventures now projects the global cost of supply chain attacks will hit $138 billion by 2031, up from $60 billion in 2025.
For CFOs. The Mistral AI line item makes the financial argument concrete. TeamPCP listed 5 GB of stolen source code across 450 repositories for $25,000 — the entire training, fine-tuning, benchmarking, model delivery, and inference pipeline of Europe's flagship sovereign AI company, advertised for sale per safestate.com, with a threat to leak everything publicly if no buyer surfaced within a week. The unit economics of compromise are now 1:200,000 against attacker cost — a $25K ask against tens of billions in Mistral's valuation impact and competitive position.
For Boards. OpenAI's response timeline is the case study. The company confirmed via Rescana's incident report that ChatGPT Desktop, Codex App, Codex CLI, and Atlas were affected because code-signing certificates lived in internal repositories accessible from two compromised employee devices. OpenAI isolated systems, rotated credentials, and announced that macOS code-signing certificates issued before May 22 will be revoked on June 12, 2026. Every customer running an OpenAI macOS app must reinstall before that date or the operating system will refuse to launch the binary. Enterprises with managed Mac fleets now have a hard deadline driven by a vendor incident they didn't cause.
Architecturally. The deeper problem is that SLSA provenance attests that a package was built by a specific repository's GitHub Actions run. It does not attest that the workflow was authorized to run. Every enterprise vendor risk program, every procurement checklist, every SBOM workflow that treats a valid Sigstore signature as a green light just got an asterisk attached. The fix is not abandoning provenance — provenance still catches the dumb attacks. The fix is acknowledging that signing alone never solved the supply chain trust problem, and behavioral controls have to sit alongside attestation.
Market Context
This is the fifth wave of Shai-Hulud-family malware in eight months, according to Bank Info Security's reporting. The earlier campaigns hit the European Commission's Europa.eu hub — 90 GB of sensitive data exfiltrated through a Trivy compromise — and continue to recycle infrastructure across attacks. The release of the worm's source code on GitHub means lower-skill attackers are now forking and modifying it, which is the dynamic that historically turned single incidents into commodity threat patterns.
Defenders are responding, but spending lags the threat. Gartner's 2026 forecast puts worldwide information security spending at $240 billion in 2026, up 12.5% year over year, with Forrester's Security Planning 2026 Budget Guide identifying software supply chain trust, third-party assurance, and AI governance as the fastest-growing line items. Software now commands ~40% of enterprise security budgets. The Forrester analysts flag that 91% of enterprises experienced a supply chain incident in the prior year and 54% of organizations rank supply chain vulnerabilities as their top ecosystem risk — both numbers are pre-TeamPCP.
The vendor ecosystem is consolidating in response. Cloudsmith raised a $72M Series C for AI-aware artifact management. JetStream — founded by CrowdStrike's former chief product officer Raj Rajamani — emerged from stealth in March with $34M to govern AI agent behavior at runtime, with the explicit positioning that signing-based assurances are insufficient. The CrowdStrike Falcon Fund, Wiz CEO Assaf Rappaport, and Okta vice chairman Frederic Kerrest all wrote checks. The pattern is consistent: the incumbents who built signing infrastructure are now also funding the behavioral-controls layer that has to sit on top of it.
Analyst language has shifted accordingly. Gartner's Q1 2026 CISO Playbook for Commercial Software Risk moved "build pipeline integrity" from a secondary control to a primary one. Forrester now characterizes 2026 as "the year of CISO fiscal accountability" — meaning the budget exists, but quantified risk reduction has to follow each dollar.
Framework #1: Supply Chain Security Maturity Assessment (25-Point Scale)
The fastest way to know whether your organization survives the next TeamPCP-style attack is to score yourself across five dimensions, one to five points each. Total 25. Most enterprises score between 8 and 14 today — and the gap from a 14 to a 20 is the gap between "you take a $4.91M loss" and "you contain the blast radius."
| Dimension | 1 Point | 3 Points | 5 Points |
|---|---|---|---|
| Dependency Hygiene | Lockfiles only | Lockfiles + automated vuln scans | Lockfiles + scans + 7-day release-age cooldown enforced across npm/PyPI/Maven |
| CI/CD Pipeline Integrity | Static secrets in CI | OIDC + short-lived credentials | OIDC + dependency-locked actions + pinned commit SHAs + scoped secrets |
| Behavioral Detection | Antivirus on endpoints | EDR + SBOM generation | Runtime install-time behavioral analysis (Snyk, StepSecurity, Aikido, Phylum) |
| Workflow Surface Hardening | pull_request_target used freely |
Restricted to maintainers | pull_request_target banned; cache writes audited; ephemeral runners |
| Incident & Recovery Readiness | Documented runbook | Quarterly tabletop drills | Tested kill-switch detection; pre-staged credential rotation playbook |
Scoring:
- 5–9 (Critical Exposure): A campaign like TeamPCP would compromise you with high probability. Your average breach cost is on the high end of IBM's $4.91M figure. Prioritize Stage 1–4 of the roadmap in Framework #2 over the next 90 days.
- 10–14 (Low Maturity): You'd survive a generic worm but lose to a targeted attack. Most regulated industries land here despite SOC 2 / ISO 27001 attestations. Focus on behavioral detection and pipeline hardening.
- 15–19 (Medium Maturity): You catch most incidents inside 30 days. You still don't catch SLSA-attested malware in real time. Invest in runtime behavioral monitoring and
pull_request_targetelimination. - 20–25 (High Maturity): You operate at the level of major financial services and frontier AI labs. The attacker has to spend six figures of zero-day budget to get through. TeamPCP's tactics would be detected at Stage 2.
Why this scoring scale works. It maps directly to controls that survived TeamPCP. TanStack's release pipeline scored ~12 — strong dependency hygiene, weak workflow surface and behavioral detection. OpenAI's response — comprehensive certificate rotation in under 72 hours — reflects a ~22 score on Recovery Readiness. The dimensions are the ones the incident actually exercised.
Framework #2: 8-Week Supply Chain Hardening Roadmap
Most CISOs already have budget. The bottleneck is sequencing. The roadmap below assumes a moderate-size enterprise engineering org (200–2,000 developers) and a $1.5–3M incremental hardening budget over the next two quarters.
Weeks 1–2: Audit & Inventory
- Generate a complete SBOM for production services covering npm, PyPI, Maven, NuGet, and container images. Tooling: Syft, Sonatype Nexus, or Snyk Open Source.
- Search lockfiles for known-bad versions from this campaign (
@tanstack/react-router@1.169.5,@tanstack/react-router@1.169.8,mistralai@2.4.6,guardrails-ai@0.10.1, the 65 affected UiPath packages). - Inventory every GitHub Actions workflow using
pull_request_target. Most large enterprises find 200–600. Flag every one that runs against forks. - Deliverable: Exposure report with quantified count of affected services and unhardened workflows. Present to the CISO and Audit Committee.
Weeks 3–4: Pipeline Hardening
- Migrate static cloud credentials in CI to OIDC with short-lived tokens. AWS, GCP, Azure all support this. Stops 80% of historical attack payloads cold.
- Pin every third-party GitHub Action to a specific commit SHA, not a tag. Tags can be retroactively moved (the tj-actions/changed-files attack of March 2025 weaponized exactly this).
- Implement GitHub Actions Dependency Locking (the new
dependencies:block in workflow YAML) for every release pipeline. - Eliminate or heavily restrict
pull_request_target. For PRs from forks, require a maintainer label before any privileged workflow runs.
Weeks 5–6: Detection & Monitoring
- Deploy behavioral analysis at install time for npm/PyPI/Maven. Vendor options: Snyk, StepSecurity, Aikido, Phylum, Socket. Cost: typically $30–80 per developer per year.
- Implement DNS-level blocking for known C2 domains (
*.getsession.orgfor Session traffic,api.masscan.cloud, typosquats likegit-tanstack.com). Modern SASE / Secure Web Gateway products handle this if rule lists are kept current. - Hook into your endpoint EDR for IDE persistence detection — specifically, monitor writes to
.claude/settings.jsonand.vscode/tasks.jsonfrom non-developer processes. - Stand up a runtime behavioral observability layer for AI agent activity (JetStream, Lasso, or Mend AI). The TeamPCP campaign specifically targeted
~/.claude/projects/*.jsonl— agent telemetry now belongs in the SOC's scope.
Weeks 7–8: Governance & Drills
- Update procurement and vendor risk processes: SLSA Level 3 provenance is necessary but not sufficient. Require behavioral attestation, install-time scanning, and a documented breach response timeline (the OpenAI 72-hour response is now the benchmark).
- Run a tabletop exercise: "A package in our production dependency graph was just published with valid SLSA provenance and malicious behavior. Walk us through the next 24 hours." Most teams discover they cannot identify the affected service inside four hours. Fix that.
- Build a kill-switch detection playbook. Before revoking any potentially-compromised GitHub PAT or npm token, security teams must check for
gh-token-monitor.service(Linux) and the equivalent LaunchAgent (macOS) on developer endpoints. Revoking the token without disabling the watchdog first will executerm -rf ~/on the developer's machine. This is not theoretical — TeamPCP shipped this functionality in every payload. - Quarterly external red team exercise specifically scoped to the build pipeline, not just the production environment.
Success criteria. By Week 8, you should be able to answer four questions in under 30 minutes: (1) Which production services would be affected if package X were compromised today? (2) Which workflows could publish to package registries on our behalf? (3) Which developer endpoints have IDE persistence hooks installed? (4) What is the credential rotation playbook for our top 10 third-party dependencies?
Case Study: How a Top-5 Bank Caught TeamPCP at Stage 2
A North American Tier 1 bank (publicly anonymized in the StepSecurity write-up but identifiable from disclosed details) had migrated its CI/CD pipelines to OIDC in 2025 and added runtime install-time behavioral analysis from a then-startup vendor in Q1 2026. Total incremental cost of the program: approximately $2.4 million across two fiscal years, including platform licenses and three new engineers in the AppSec organization.
On May 11, the bank's developer workstations began pulling @tanstack/react-router@1.169.5 as part of an ongoing migration. The behavioral analysis flagged the router_init.js payload's PBKDF2 string-array decoder as anomalous during the npm install lifecycle hook — specifically, the entropy profile of the obfuscation layer matched no known package in the vendor's labeled training set. Install was blocked. The bank's AppSec team notified the registry mirror to quarantine the version, paged the maintainer-side incident channel, and pushed an organization-wide block rule across the global engineering org within 47 minutes of first detection.
Zero developer endpoints were compromised. Zero secrets were exfiltrated. The bank's response cost was three engineering days and the existing license fee. Compare that against IBM's $4.91M average supply chain breach cost — the program paid for itself roughly 200 times over against this single incident, with the same controls available to detect the next four waves.
The transferable lesson: the bank didn't rely on SLSA signatures, the npm advisory database, or vendor disclosure — all of which were silent at the moment of detection. They relied on behavior. The malicious package behaved differently from its predecessors at install time. That signal was available 17 minutes before any public IoC, 4 hours before Snyk's advisory, and ~38 hours before Mistral confirmed compromise.
What to Do About It
For CISOs (this week). Run the Framework #1 assessment with your AppSec lead. Walk through the kill-switch detection playbook — your token revocation runbook is probably wrong. Brief the audit committee on SLSA's now-documented limitations before they read it in a regulator letter.
For CFOs. The math has changed. Vendor risk capitalized on signature-based assurance is now under-reserved. The right comparison for the next budget cycle is not "are we spending the industry average?" but "what is our Annualized Loss Expectancy if a SLSA-signed package in our top 50 dependencies is poisoned?" Most enterprises will find that number is now well north of $5M.
For CIOs. Frame the conversation in build pipeline terms, not security terms. Engineering leadership owns most of the controls that survived TeamPCP — OIDC migration, action pinning, ephemeral runners, IDE policy. Make the SLSA bypass part of the engineering excellence narrative, not just the AppSec narrative. The fix is engineering hygiene, and engineering should own it.
For Boards. Ask one question at the next quarterly review: "If a critical npm or PyPI package in our production graph were poisoned today with valid SLSA provenance, how would we know, and how fast?" If the answer takes more than two sentences, the program isn't ready.
