The TeamPCP threat group has pulled off another big supply chain attack which within a few hours this week was able to successfully compromise 170 Node Package Manager (npm) and PyPI packages.
The attack affected the entire TanStack Router ecosystem (@tanstack) of 42 packages, a routing library hugely popular among React web application developers. Multiple other packages were also affected, including @squawk (87 packages), @uipath (66 packages), @tallyui (30 packages), @beproduct (18 packages), as well as Mistral AI’s SDK suite on both npm and PyPI, and the Guardrails AI PyPI package.
The attacks, noticed by several vendors using automated security tools, happened on May 11, spreading rapidly through package ecosystems thanks to the worm capabilities of the automated Mini Shai-Hulud malware platform, analysis found.
The exact number of package versions caught up in the attack varies depending on the source; according to Aikido Security it was 373 across 169 package namespaces, while SafeDep said the number was 404 package versions across 170 npm packages, with two affecting PyPI.
Dead man’s switch
A striking feature of the attacks is the ease with which the threat group blamed for the attack, TeamPCP, was able to hijack the project’s legitimate release pipelines by exploiting a mixture of maintainer misconfigurations and GitHub Actions weaknesses.
Instead of stealing maintainer credentials directly, the attackers exploited a risky trigger, pull_request_target. This allows third-party workflows to run automatically — a way of avoiding maintainer approval fatigue — but means that the maintainer’s short-lived OIDC tokens become vulnerable to scraping.
Armed with these tokens, the attacker were able to compromise the packages by injecting the malicious Mini Shai-Hulud malware, which propagated to other projects.
The purpose is to steal developer credentials such as GitHub and npm tokens, cloud credentials, API keys, Kubernetes service accounts, and SSH keys. Less pleasantly, the malware also installs a destructive ‘dead man’s switch’ monitor which attempts to delete the user’s entire home directory if a developer revokes a stolen GitHub token.
Attacks by TeamPCP targeting software supply chains have become a recurring theme in recent months. This includes a similar compromise in April of the command line version of the Bitwarden password manager. A month earlier it was Aqua Security’s Trivy open-source vulnerability scanner, later revealed to have caused a data breach at the EU’s Europa.eu web hub.
Enterprise prize
According to Abhisek Datta, founder of SafeDep, one of the first vendors to detect the compromise, TeamPCP appeared to have designed the campaign to target US developers.
“They know that high-profile attacks will be detected quickly by the industry. By targeting specific US working hours, they likely want to maximize their return during a short window of opportunity,” he said via email.
“The way the software usage and trust network has evolved, primarily leaning towards implicit trust, is probably the root cause that is being exploited in these attacks. Unfortunately, it’s hard to fix, especially today where developers and software companies expect velocity over everything else.”
Developers could put more security around packages, but this would create added friction, Datta said. “Honestly, I would say this is something the world is still trying to figure out.”
SafeDep has published a full list of affected packages, with indicators of compromise. If any of the compromised packages are in use, recommended actions are to check the lockfile for known compromised versions, pin dependencies to knows good versions, and to check for evidence of malware files. If an infected version is suspected, credentials in use at the time of import should be rotated.
This article first appeared on CSO.