MAL-2026-3594
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@draftauth/client/MAL-2026-3594.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3594
- Published
- 2026-05-12T05:49:00Z
- Modified
- 2026-05-12T07:09:00.206672Z
- Summary
- Malicious code in @draftauth/client (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: google-open-source-security (5e1924464368f0c5816ee84e000cc47017f44045140feafbbc9e685d847ed5a5)
This package was compromised as part of the "Mini Shai-Hulud is back" worm by the TeamPCP threat actor.
The package will steal credentials and then propogate it to every package it has access to. The package also attempts to remain persistent.
- Database specific
{ "iocs": { "domains": [ "git-tanstack.com", "filev2.getsession.org", "api.masscan.cloud", "seed1.getsession.org" ] }, "malicious-packages-origins": [ { "import_time": "2026-05-12T06:23:00.48559Z", "sha256": "5e1924464368f0c5816ee84e000cc47017f44045140feafbbc9e685d847ed5a5", "source": "google-open-source-security", "modified_time": "2026-05-12T06:19:26Z", "versions": [ "0.10.1" ] } ] }- References
-
- https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised
- https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
- https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
- https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
- https://snyk.io/blog/tanstack-npm-packages-compromised/
Affected packages
npm / @draftauth/client
Package
- Name
- @draftauth/client
- View open source insights on deps.dev
- Purl
- pkg:npm/%40draftauth/client