TanStack, Mistral AI and Guardrails AI npm/PyPI Packages Hit by Mini Shai-Hulud - CVE-2026-45321

On May 11, 2026, researchers disclosed the Mini Shai-Hulud wave, a self-replicating supply-chain compromise attributed to the actor TeamPCP and tracked as CVE-2026-45321 (advisory GHSA-g7cv-rxg3-hmpx), rated Critical at CVSS 9.6. This advisory covers what was compromised, why it lands on the agentic-endpoint layer, and how to scope and govern it across your fleet.

What happened

The wave compromised 42 packages in the @tanstack namespace across 84 malicious versions - for example @tanstack/react-router versions 1.169.5 and 1.169.8. The same campaign reached packages published by Mistral AI, Guardrails AI, UiPath, and OpenSearch, totaling more than 170 packages across npm and PyPI with over 518 million cumulative downloads. The full 42-package @tanstack list is enumerated in GHSA-g7cv-rxg3-hmpx.

Each compromised tarball injects an optionalDependencies entry - such as @tanstack/setup - that points to an attacker-controlled GitHub orphan commit. That dependency's package.json declares a prepare lifecycle hook, bun run tanstack_runner.js && exit 1, which runs the payload during install and then deliberately exits non-zero. The intentional failure makes the malicious step look like a broken optional dependency, evading casual review of install logs.

Because the hook invokes the Bun runtime, endpoints with Bun pre-installed are the most exposed. The payload is a credential stealer that targets GitHub Actions OIDC, GitLab and CircleCI CI/CD tokens, AWS IMDSv2, GCP and Azure cloud credentials, Kubernetes service accounts, HashiCorp Vault, and package-registry tokens. Affected versions should be removed and every reachable CI/CD and cloud secret rotated.

Why this is an agentic-endpoint risk

This is a worm-class attack in the same family as the earlier npm credential-stealer wave covered in Shai-Hulud 2: the npm worm credential stealer. What makes Mini Shai-Hulud an agentic-endpoint problem is where it executes: on the same developer workstations, build agents, and CI runners where AI coding agents and their tooling already live. Many of those machines have Bun installed precisely because AI agent frameworks and MCP servers use it.

The eight AI artifact types Anomity inventories - AI agents, MCP servers, extensions, skills, plugins, secrets, hooks, and CLIs - share the endpoint with this install-time payload. The prepare hook runs arbitrary code with the developer's full identity, and the secrets it harvests are the same tokens an AI agent would use to reach cloud APIs, registries, and Kubernetes. A rogue MCP server or CLI dropped during install becomes a persistent foothold that ordinary package scanning does not watch. Inventorying that layer is the visibility gap this advisory addresses - see fleet visibility and how this fits alongside your existing tools in the comparison.

How Anomity surfaces and governs it

Anomity works in three steps against this campaign. First, inventory: it enumerates the AI artifacts on every managed endpoint, including the Bun CLI that the payload depends on and any rogue MCP server or CLI artifact dropped during install. If Bun is present on a machine that does not need it, that alone is a signal worth reviewing in fleet visibility.

Second, allow / deny / log at the hook: on agents that expose a hook - for example Claude Code PreToolUse - Anomity evaluates each tool call before it runs and returns allow, deny, or log. An install-time command that invokes the Bun runtime through a prepare lifecycle hook can be denied before the credential stealer executes, stopping exfiltration at the moment of execution rather than after the tokens are gone. See runtime governance.

Third, a queryable 90-day audit trail: every decision and artifact change is recorded, so after disclosure you can ask which endpoints ran the install, which identities were reachable, and which calls were denied. Anomity collects metadata only, with on-endpoint secret redaction, is SOC 2 Type II, and routes decisions to SIEM, Slack, email, and Jira. Review the audit trail to scope the blast radius and feed rotation work into your existing GRC process; the documentation covers how decisions are routed and retained. Anomity complements your network controls, EDR, DLP, and GRC rather than replacing them.

What to check across your fleet

• Identify every endpoint with the Bun runtime installed - these are the highest-risk machines for this payload.
• Search lockfiles and node_modules for the 42 affected @tanstack versions enumerated in GHSA-g7cv-rxg3-hmpx, including @tanstack/react-router 1.169.5 and 1.169.8.
• Check npm and PyPI installs for the affected Mistral AI, Guardrails AI, UiPath, and OpenSearch packages across the 170+ named in the disclosure.
• Flag any optionalDependencies entry such as @tanstack/setup resolving to a GitHub orphan commit, and any prepare hook that shells out to bun run.
• On any machine that ran an install, rotate GitHub Actions OIDC, GitLab, and CircleCI tokens; AWS IMDSv2, GCP, and Azure credentials; Kubernetes service accounts; HashiCorp Vault secrets; and package-registry publish tokens.
• Inventory MCP servers and CLIs on developer and CI endpoints for artifacts that appeared during the disclosure window.
• Confirm hook-based deny is enabled on agents that expose a hook so install-time tool calls are governed going forward.

Mini Shai-Hulud is one entry in a widening pattern of lifecycle-hook supply-chain attacks. For the broader playbook - how these waves replicate, what to monitor, and how to govern the AI artifact layer they exploit - see the parent guide, AI Supply-Chain Attacks: A Defender's Guide. To inventory the Bun runtime and rogue MCP/CLI artifacts across your endpoints and deny install-time tool calls before exfiltration, request early access.