In 2024, the TeamPCP threat group executed a supply chain attack compromising 170 npm and PyPI packages, including key dependencies like the TanStack Router ecosystem and Mistral AI SDK. The attack exploited GitHub Actions misconfigurations to inject the Mini Shai-Hulud malware, which spread through developer environments and stole credentials.
This attack was not due to a zero-day exploit but rather configuration weaknesses in GitHub Actions, specifically the pull_request_target trigger, which runs workflows with elevated repository permissions.
Attack Overview
- TeamPCP compromised 170 packages across npm and PyPI registries.
- The attack targeted the TanStack Router ecosystem and Mistral AI SDK.
- Mini Shai-Hulud malware was used to maintain persistence and steal credentials.
- The attack exploited the
pull_request_targettrigger in GitHub Actions workflows.
Failed Security Controls
Workflow Permission Boundaries: The pull_request_target trigger runs workflows in the context of the base repository, allowing external contributors' pull requests to execute code with write access to your repository secrets and GitHub tokens. If your workflow checks out PR code and runs it, you risk exposing sensitive information.
Package Publishing Authentication: The compromised packages reached public registries because:
- Publishing tokens were stored in repository secrets accessible to exploited workflows.
- Multi-factor authentication (MFA) was not enforced on maintainer accounts.
- Automated publishing pipelines lacked approval gates.
Dependency Verification: Downstream consumers installed these packages without verifying the publisher's identity. While npm supports package signing, enforcement is optional.
Lateral Movement Controls: Once Mini Shai-Hulud infected developer environments, it spread to other systems, indicating:
- Lack of network segmentation between development and production environments.
- Insufficient endpoint detection on developer workstations.
- Shared credential stores across multiple systems.
Compliance Standards
PCI DSS v4.0.1 Requirement 6.3.2 mandates secure development practices, including CI/CD pipelines. The pull_request_target misconfiguration violates secure development principles by granting elevated permissions to untrusted code.
NIST 800-53 Rev 5 Control SA-10 requires configuration management during system development. Your GitHub Actions workflows are part of your system development infrastructure and require review, testing, and change control.
ISO/IEC 27001:2022 Control 8.31 addresses environment isolation. Malware spreading from a developer laptop to production systems indicates a failure in maintaining environment boundaries.
NIST CSF v2.0 function PROTECT (PR.DS-6) calls for integrity checking mechanisms to verify software authenticity. Installing packages without verifying cryptographic signatures means trusting the registry infrastructure entirely.
Actionable Steps
Audit GitHub Actions Workflows: Search your repositories for the pull_request_target trigger. If found, determine if the workflow checks out code from the PR and runs tests or scripts. If so, switch to the pull_request trigger for untrusted contributions or implement a manual approval step.
Require Reviews for Workflow Changes: Enable branch protection rules in GitHub to require pull request reviews before merging changes to .github/workflows/. Treat workflow files with the same scrutiny as authentication code.
Rotate and Scope Publishing Tokens: Use automation tokens with minimal scope for publishing packages to npm or PyPI. Store these in GitHub Actions secrets, but be aware that secrets are accessible to workflows running in the base repository context.
Enforce MFA on Maintainer Accounts: Ensure all maintainer accounts have MFA enabled to prevent compromise through credential stuffing or phishing.
Enable npm Package Provenance: Use npm publish --provenance to generate provenance attestations that link a package to the source repository and build workflow.
Segment Development Environments: Ensure developer workstations do not have direct access to production credentials or systems. Use bastion hosts, temporary credential vending, and network policies to enforce boundaries.
Implement SLSA Level 2: The Supply-chain Levels for Software Artifacts framework requires version control and a build service. Level 3 requires preventing tampering with the build service. The pull_request_target attack violates this by allowing external contributors to tamper with your build service.
Test these controls with a tabletop exercise: "An external contributor submits a PR that modifies our test suite to exfiltrate secrets. Does our current workflow configuration stop this?" If not, adjustments are needed.
