According to monitoring by Dongcha Beating, a worm named 'Mini Shai-Hulud' (the sandworm from 'Dune') is sweeping through the front-end and AI back-end ecosystems. The attacker TeamPCP hijacked the official release pipeline of TanStack between 3:20 and 3:26 AM (UTC+8) on May 12, pushing 84 malicious versions of 42 official packages to npm, including the widely downloaded `@tanstack/react-router`. The worm subsequently spread to PyPI, with the latest victims including Amazon's `@opensearch-project/opensearch` (npm, 1.3 million weekly downloads), the official Mistral client `mistralai`, and the AI guard tool `guardrails-ai` (both on PyPI). The malicious packages appear identical to legitimate releases. The attackers did not steal any long-term credentials but exploited a GitHub Actions configuration vulnerability to hijack the official pipeline, gaining legitimate temporary release permissions. As a result, the malicious packages received authentic SLSA build source signatures (provenance, a type of anti-counterfeiting label that proves 'the package was indeed produced by the official pipeline'). The developers' previously trusted logic of 'signed = safe' has been completely bypassed. Worse, uninstalling the malicious packages is far from sufficient. Reverse analysis by Socket.dev shows that once the worm is installed, it writes itself into the execution hooks of Claude Code (`.claude/settings.json`) and the task configuration of VS Code (`.vscode/tasks.json`). Even if the malicious packages are deleted, as long as the developer later opens the project directory or wakes up the AI assistant, the malicious code will automatically reactivate. The threshold for triggering on the Python side is even lower: developers don't even need to call any functions; simply `importing` the infected package will silently activate the spying. TeamPCP mockingly posted a message on the spoofed domain `git-tanstack[.]com` saying, 'We have been online stealing credentials for over two hours, but I'm just here to say hello :^)'. The worm continues to self-propagate. Machines that installed the affected packages during the aforementioned window should be treated as compromised: immediately rotate all credentials for AWS, GitHub, npm, SSH, etc., thoroughly check the `.claude/` and `.vscode/` directories, and reinstall from a clean lockfile.
Welcome Back
Click “Sign in” to agree to Cointime’s Terms of Service and acknowledge that Cointime’s Privacy Policy applies to you.
Join CoinTime
Already have an account?
Click “page.Sign up” to agree to Cointime’s <a class="underline" href="#term-of-service">Terms of Service</a> and acknowledge that Cointime’s a class="underline" href="#privacy-policy">Privacy Policy</a> applies to you.
Sign in with email
Sign up with email
Your email
Check your inbox
Click the link we sent to to sign in.
Click the link we sent to to sign up.
Mini Shai-Hulud Worm Affects TanStack, OpenSearch, and Mistral Clients
-
Wechat scan to share
Recommended for you
-
BTC Surpasses $63,000
Market data shows that BTC has surpassed $63,000, currently priced at $63,003.99, with a 24-hour decline of 1.47%. The market is experiencing significant volatility, so please ensure proper risk management. -
BTC Surpasses $63,000
Market data shows that BTC has surpassed $63,000, currently priced at $63,006.88, with a 24-hour decline of 1.52%. The market is highly volatile, so please ensure proper risk management. -
Zuckerberg Directs Meta to Develop Prediction Market Application
On June 24, The New York Times reported that Zuckerberg has instructed Meta to develop a prediction market application. The internal name for the application is 'Arena', which is similar to Polymarket or Kalshi. -
U.S. Senate Passes Resolution Aiming to Limit Trump's War Powers Against Iran
On June 24, the U.S. Senate passed a resolution regarding war powers related to Iran, with 50 votes in favor and 48 against, following a similar approval by the House of Representatives. This marks the first time such a resolution has been approved by both chambers of Congress. The resolution calls for the president to end military actions against Iran without a declaration of war or authorization of force from Congress. However, since this resolution is a joint resolution of Congress, it is not legally binding and does not require the president's signature, thus serving mainly a symbolic purpose. -
AI Smart Terminals Experience Full Explosion
On June 23, according to CCTV Finance, at the fourth Chain Expo, the original "Digital Technology Chain" was upgraded to the "Smart Technology Chain." This change in wording reflects that artificial intelligence is becoming the main character in the industrial chain. A newly established AI zone at the event gathered leading AI companies from both domestic and international markets, showcasing the entire chain from data and computing power to applications. Various AI products were on display, including AI glasses, smart cars with digital chassis, and humanoid robots that can play soccer. CCTV Finance reporters observed that the integration of artificial intelligence into the physical world is transitioning from mobile phones and computers to various new smart terminals. This year, the application of AI agents has also experienced a full explosion. Qian Kun, Senior Vice President of Qualcomm, stated that the empowerment of AI agents is leading to a significant upgrade cycle for existing terminal devices. China's industrial chain is very complete, and through continuous collaboration with Chinese partners, their products can quickly reach the market and gain global acceptance. Liu Xiangwen, Vice President of Alibaba Cloud Intelligence Group, noted that AI has evolved from mere chatting to becoming a productive force. The development of all stacks, whether GPU cloud or CPU, is progressing rapidly, and there is still greater potential ahead. -
U.S. Stock Indices Experience Short-Term Rally
On June 23, the Dow Jones Industrial Average rose by 0.07%; the S&P 500 index narrowed its decline to 0.77%, having previously fallen over 1.5%; the Nasdaq Composite index also reduced its drop to 1.17%, after having been down more than 2.3% at one point. -
Vitalik: Ethereum Foundation Budget Cut by 40%, Shifting to Long-term Fund Model
On June 23, Vitalik Buterin revealed that the Ethereum Foundation (EF) will reduce its budget by approximately 40% this year. According to its previously announced financial management plan, EF is transitioning from a model where it spends about 15% of its remaining funds annually to a model where it will spend about 5% annually after 2030, moving towards a long-term donation-oriented organization. To this end, EF will adjust its multi-client model, relying more on AI-assisted formal verification. The PSE privacy and scalability exploration team will shift from 'exploration' to a focus on building around zero-knowledge proofs. The scale and losses of Devcon events will be reduced, and large projects beyond Ethereum itself will also decrease. EF's institutional work will focus on smaller-scale, replicable CROPS-friendly deployment cases. -
Huo Qigang: In the AI Era, Our Own Judgment is Key
On June 23, according to CCTV Finance, Huo Qigang stated that over the past year, the topic of AI has been overwhelming, shifting from 'not using AI' to 'having to use AI,' making him acutely aware that 'not participating will lead to elimination.' As a father, Huo Qigang candidly expressed the dilemma of whether parents should 'control' or 'assist' when their children use AI. He mentioned that he has already begun to assist with AI in his work, but emphasized that using AI does not mean bypassing the thinking process; one must rely on their own experience, thought, and logical judgment, and cannot simply replicate AI outputs. -
NVIDIA's Market Value Falls Below $500 Billion
On June 23, NVIDIA (NVDA.O) saw its market value drop below $500 billion, with a latest decline of 2.6%. -
U.S. Manufacturing Activity Surges Beyond Expectations, But Factory Employment Falls to Six-Year Low
Driven by companies placing orders in advance to prevent shortages and price increases, U.S. manufacturing activity expanded again in June. However, factory employment fell to a six-year low, primarily due to rising operational costs influenced by conflicts in the Middle East. The preliminary S&P Global Manufacturing PMI for June rose to 55.7 from 55.1 in May, marking the highest level since May 2022, while economists surveyed by Reuters had previously expected the index to drop to 54.8. The increase in the manufacturing PMI, combined with a rise in the services PMI from 50.7 in May to 51.3, contributed to a composite PMI output index increase from 51.5 last month to 52.2. The rebound in the services PMI is partially attributed to the World Cup events jointly hosted by the U.S., Canada, and Mexico.
Daily Must-Read
-
SuperStrike: As AI Takes Over Financial Decision-Making, A New Era of Wealth Creation Begins
-
The largest IPO in history! Panoramic analysis of SpaceX's IPO: trillion dollar valuation, track change, and Musk's trillion dollar net worth
-
The 90 trillion yuan track is officially legalized: the United States opens up perpetual contracts on the blockchain, and encrypted finance completely rewrites the global trading landscape
-
PayStill Enters the Pure PAYS Era: A Value Aggregator Embarking on a New Growth Cycle
-
Bitwise deep review: Cryptocurrency market faces three major structural changes, reverse layout window opens as bear market ends
-
Goldman Sachs makes a heavy judgment: AI supply chain boom spillover, MLCC opens a new cycle of ultra long quantity price until 2030
All Comments