Mini Shai-Hulud worm publishes 84 malicious npm packages in 6 minutes — release.yml pull_request_target misconfig + GitHub Actions cache poisoning
A self-propagating worm called Mini Shai-Hulud published 84 malicious package versions across 42 @tanstack/* npm packages in six minutes on May 11, exploiting a pull_request_target misconfiguration in release.yml plus GitHub Actions cache poisoning. It is the fourth AI-relevant supply-chain attack in 50 days targeting the open-source release pipeline that downstream AI tools build on.
The exploit chain is the news. pull_request_target is the GitHub Actions trigger that runs in the context of the base repository (with write permissions) instead of the fork — which means a malicious PR can execute against the maintainer's secrets if the workflow is misconfigured. The worm used that primitive to poison the Actions cache, then propagated by injecting itself into subsequent publish flows that read the same cache. Six-minute time-to-84-packages is what makes it a worm rather than an incident.
The defensive surface that wasn't covered: every red team running 2026 frontier-model evals tests for prompt-injection and model-extraction attacks. Almost none of them test the release pipeline the model rolls out through. The OpenAI-Anthropic joint evaluation results published last summer caught deceptive behavior at 0.17% with 92% accuracy — impressive on the prompt surface, irrelevant for the build surface. The next year's eval taxonomy needs to cover supply-chain attacks, not just user-facing prompt attacks.
VentureBeat — Four AI supply-chain attacks in 50 days → · VentureBeat — Anthropic vs OpenAI red teaming methods → · Alignment Anthropic — Anthropic-OpenAI alignment evaluation findings →