Menu
Browse

Cyber Incident Victim: UiPath

Date:

May 2026

Location:

Summary

A supply‑chain malware campaign dubbed Mini Shai‑Hulud infiltrated hundreds of open‑source packages, including the UiPath library, by pushing an orphaned commit to a repository fork that abused permissive GitHub Actions workflows to publish a tampered version. The malicious update contained a concealed dependency that delivered a 2.3 MB obfuscated payload executed with the Bun JavaScript runtime, which harvested cloud credentials, SSH keys and local secrets from developer machines and CI runners, then exfiltrated the data via the Session messaging app while persisting in Visual Studio Code and Claude configuration files to survive project opens. Researchers linked the operation to the cloud‑focused group TeamPCP, noting that although the packages carried valid provenance signatures, the underlying pipelines had been hijacked, allowing the malware to spread with limited observed community impact.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 3 techniques
Threat Actor Type Location
1 actor Available to members Available to members

Description

The “Mini Shai‑Hulud” malware campaign was identified in May 2026 as a supply‑chain attack that injected credential‑stealing code into hundreds of open‑source packages across major registries. The attackers used an orphaned commit pushed to a repository fork without a corresponding branch to abuse overly broad permissions in GitHub Actions workflows, which allowed them to trigger an automated release process. A concealed dependency fetched a heavily obfuscated 2.3‑megabyte payload disguised as an initialization module, and upon execution the malware employed the Bun JavaScript runtime to harvest security keys, passwords, SSH files and cloud‑service credentials. The code was designed to target AWS, Google Cloud Platform, Kubernetes and HashiCorp Vault while also scanning the developer’s local machine for secret files used to access corporate systems.

Cyber Incident Image

Once executed, the malware behaved as a self‑propagating worm, publishing copies of itself to compromised projects and spoofing the activity as automated commits originating from the Anthropic Claude bot to evade detection. It also generated a new registry token whose description contained a ransom note threatening a destructive computer wipe if the victim attempted to revoke the compromised access. To maintain persistence, the malware embedded itself into the configuration files of widely used developer tools, notably Visual Studio Code and Anthropic’s Claude Code, ensuring execution whenever a developer opened a project or started an AI coding session. Stolen data was exfiltrated through Session, an anonymous messaging application that routes traffic over a decentralized network, making the theft appear as ordinary encrypted chat traffic.

Among the prominent software libraries compromised were TanStack’s React Router, UiPath and MistralAI, with the React Router package alone accounting for more than twelve million weekly downloads. Security teams responded by pulling all compromised software versions from the affected registries, although investigators found no evidence that registry passwords themselves had been stolen. Experts urged anyone who had downloaded the affected tools on the day of the incident to immediately change all connected cloud, server and developer credentials, including those for Amazon Web Services, Google Cloud and GitHub. Researchers noted that the observed community spread of the malware was very limited, with only isolated instances detected despite the broad distribution of the poisoned packages.

The attack succeeded in bypassing two‑factor authentication because the malicious updates carried cryptographically valid provenance signatures that verified the packages originated from the correct continuous integration pipelines, while the pipelines themselves had been manipulated to authorize the malicious code. The campaign was attributed to TeamPCP, a cloud‑focused cybercriminal group that emerged in late 2025 and specializes in automating supply‑chain attacks and exploiting cloud‑native infrastructure such as Docker and Kubernetes. TeamPCP is also linked to the earlier development of the Shai Hulud malware and is known for disguising exfiltrated data as anonymous messaging traffic and employing aggressive extortion tactics, including threats to erase victims’ computers if they attempt to remove the attackers’ access. The incident underscores a blind spot in current defenses, which validate the origin of updates but do not verify the safety of the code inside those updates.

Sources
Sources available to members
1 source