🚨 MistEye TI Alert 🚨 MistEye has detected a highly sophisticated npm worm, "Mini Shai-Hulud," spreading through trusted developer projects like TanStack, UiPath, and DraftLab. The attackers hijacked GitHub credentials to publish malicious, yet seemingly legitimate, package updates. The malware injects a heavily disguised hidden script (router_init.js) that runs silently in the background of CI/CD environments (like GitHub Actions). It is specifically designed to harvest highly sensitive data, including CI/CD secrets, cloud infrastructure keys, and cryptocurrency wallets. The stolen data is then stealthily smuggled out using GitHub's own infrastructure. We have synchronized these critical IOCs with our clients. If your projects utilize the affected packages, immediate action is required: please audit your CI/CD pipelines for the presence of the router_init.js file, rotate all exposed GitHub, cloud, and crypto credentials, and closely monitor your development environments for any unauthorized background activity. As always, stay vigilant!

The latest OpenClaw release is ~3.5x faster 🦞 We run end-to-end RTT tests against every published npm release, every 6 hours, over real message channels (here: Telegram, using the brand new bot-to-bot communication). No more silent regressions. Runners are all running on @useblacksmith CI. Catching slowdowns before you do.

Codex is getting easier to automate and customize around your code. 🪝 Hooks customize the Codex loop with scripts that run at key points in a task: • Run validators before or after work • Scan prompts for secrets • Log conversations to internal systems • Create memories or customize behavior by repo or directory ⚙️ Programmatic access tokens provide scoped credentials for Business and Enterprise teams: • Create tokens from ChatGPT workspace settings • Use them in CI, release workflows, and internal automations • Set expirations or revoke access when needed • Keep usage tied back to the workspace

🚨Analysis of the Supply Chain Poisoning Attack on the Official Mistral AI SDK 🚨 SlowMist’s MistEye threat monitoring system has identified a malicious version of the official Mistral AI Python SDK: mistralai==2.4.6. Unlike typical typosquatting attacks, this was not a fake package. The malicious code was injected directly into the official SDK release pipeline. 🔍 Key Findings • Malicious code hidden in the SDK import entry point • Silent download of a remote payload disguised as transformers.pyz • Theft of cloud credentials, SSH keys, CI/CD tokens, password manager data, Kubernetes Secrets, and more • 1/6 probability of triggering rm -rf /* on systems associated with Israel or Iran • Strong attribution links to the previously disclosed Shai-Hulud supply chain attack framework through the same 4096-bit RSA public key Our analysis reconstructs the full attack chain, persistence mechanisms, encrypted exfiltration workflow, and the correlation between the Python and TypeScript attack frameworks. Full article👇

🚨 SlowMist TI Alert 🚨 MistEye has received critical threat intelligence regarding an active supply chain attack compromising node-ipc, a foundational Node.js library. The malicious releases have been identified as versions 9.1.6, 9.2.3, and 12.0.1. Threat actors injected an obfuscated credential-stealing payload into the CommonJS bundle. Once loaded, it silently harvests over 90 categories of developer data—including AWS, Azure, GCP, SSH, K8s tokens, and Terraform states—and exfiltrates it to attacker-controlled infrastructure. We have synchronized this IOC with our clients immediately. Detection & Remediation: Please urgently audit your environments for exposure: • Dependencies: Run npm ls node-ipc --all to identify direct or transitive inclusions. • Lockfiles: Search package-lock.json, yarn.lock, or pnpm-lock.yaml for the affected version ranges. • CI/CD: Review pipeline jobs executed after May 14, 2026, that may have pulled loose semver updates (~9.1.x, ^12, etc.). ⚠️ Critical Action: If a compromised version was installed, assume certain compromise. Do not wait for exfiltration confirmation. Downgrade to a known safe version immediately and aggressively rotate all credentials, tokens, and environment secrets present on the affected machine or CI runner. As always, stay vigilant!

🚨 ACTIVE INCIDENT: The Mini Shai-Hulud worm is back, and it just compromised dozens of official @tanstack npm packages This is the first documented self-spreading npm worm that carries valid SLSA provenance attestations. Let that sink in. Our OSS Package Security Feed detected the compromised releases and we're tracking the spread in real time. Here's what happened: The attacker staged an obfuscated 2.3 MB credential-stealing payload in a fork of TanStack/router, then used hijacked OIDC tokens to publish malicious versions through TanStack's own legitimate GitHub Actions release pipeline. The compromised packages include @tanstack/react-router, @tanstack/router-core, @tanstack/react-start, and 40+ other packages. Millions of weekly downloads across the ecosystem. If you installed any affected version in CI, assume all secrets in that environment are compromised. Rotate tokens immediately. Full technical analysis, IOCs, compromised version list, and recovery steps on our blog. The list of affected packages is still growing.

🚨 node-ipc is compromised again. Three new malicious versions just dropped: 9.1.6, 9.2.3, and 12.0.1. Socket’s AI scanner flagged them as malware within three minutes of publication. The attack vector: a dormant maintainer account (atiertant) was likely taken over via an expired email domain. The attacker registered the lapsed domain, triggered an npm password reset, and gained publish rights to a package with millions of historical downloads. The payload is a credential stealer embedded in the CommonJS entrypoint (node-ipc.cjs). It activates on require(“node-ipc”), not through a postinstall script. Here’s what it does: •Fingerprints the host (OS, arch, hostname, uname) •Harvests 113-127 credential file patterns depending on platform (AWS, GCP, Azure, SSH keys, Kubernetes configs, npm tokens, .env files, shell histories, macOS Keychain databases, and more) •Dumps the entire process.env, capturing every CI secret and cloud credential in memory •Builds a gzip archive in a temp directory •Exfiltrates everything over DNS TXT queries to bt[.]node[.]js, using a bootstrap resolver at sh[.]azurestaticprovider[.]net:443 (a deliberate lookalike of Microsoft’s Azure Static Web Apps domain) The DNS exfiltration is chunked. A 500 KB archive generates roughly 29,400 TXT queries. The body is XOR-encrypted with a SHA-256 keystream, base64-encoded, alphabet-substituted, and split into 31-character chunks before hex-encoding into DNS labels. Header, data, and footer queries use xh, xd, and xf prefixes respectively. The malware forks a detached child process (env var __ntw=1) so credential theft runs silently in the background. It also exposes a __ntRun export, meaning any downstream code that calls require(“node-ipc”).__ntRun() can trigger a second collection/exfiltration cycle. ESM-only consumers using the import path are not affected by the reviewed package metadata. CommonJS consumers are. This is the same package involved in the 2022 protestware incident. It has a history. If you use node-ipc: •Do not install 9.1.6, 9.2.3, or 12.0.1 •Audit your lockfiles for these versions •If you loaded the CommonJS entrypoint, treat all environment variables, SSH keys, cloud credentials, npm tokens, and local secrets as compromised. Rotate immediately. •Hunt for DNS TXT queries to bt[.]node[.]js and sh[.]azurestaticprovider[.]net in your network logs •Check for temp files matching /nt-/.tar.gz Credit to Ian Ahl (@TekDefense) for first publicly identifying the expired-domain account takeover vector. Developing story. Full technical breakdown and IOCs on the Socket blog:

🚨USE THIS GUIDE TO PROTECT YOUR COMPUTER FROM NPM HACKS THAT STEAL EVERYTHING IN ONE INSTALL TanStack, a code library used in millions of web apps, got hacked on Monday one install steal every password, key, and credential on your computer this is far not the first hack this month and definitely just the beginning Here's how to protect your machine: [ 1. lock down npm with a 7-day cooldown ]: open ~/.npmrc. keep all existing lines (auth tokens, registry config). append: """ min-release-age=7 minimum-release-age=10080 save-exact=true """ this makes npm refuse any package version published in the last 7 days. attack windows are usually under 24 hours, you skip them entirely [ 2. same cooldown for bun ]: open ~/.bunfig.toml (create if missing). append: """ [install] minimumReleaseAge = 604800 """ 7 days in seconds, same protection in bun's config format [ 3. pin every npm dependency in your projects ]: open package.json. strip every ^ and ~ from versions under: - dependencies - devDependencies - peerDependencies exact versions only. commit your lockfile (bun.lock / package-lock.json / pnpm-lock.yaml) to git so the resolved tree is frozen [ 4. same discipline for python ]: if you use uv (the modern default): commit uv.lock, run `uv sync` to restore if you use pip: requirements.txt with pinned versions, run `pip install --require-hashes -r requirements.txt` if you use poetry: commit poetry.lock, use `poetry install --no-update` never trust `>=` or `~=` ranges in production projects [ 5. pin GitHub Actions to commit SHAs ]: stop using `actions/checkout@v4`. switch to: ```yaml uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 ``` every third-party action runs in your CI with access to repo secrets. pinning the SHA means a compromised maintainer cannot push malicious code into your pipeline [ 6. audit your IDE extensions ]: Cursor, VSCode, Windsurf, every extension is code running with full access to your filesystem, clipboard, and open files - review installed extensions monthly - remove anything you haven't actively used in 30 days - check the publisher, install count, last update, GitHub source before installing - never install extensions that ask for permissions they shouldn't need [ 7. lock down API tokens and credentials ]: - never commit .env to git (add to .gitignore on every project, no exceptions) - use minimum-scope tokens: one repo, one bucket, one workspace - rotate API keys every 90 days, force expiry on critical ones - separate tokens by environment (dev / staging / prod) - enable 2FA on every developer account: GitHub, npm, PyPI, Cloudflare, AWS, OpenAI, Anthropic - never paste secrets into Claude / ChatGPT / any AI chat, they're logged [ 8. set up continuous monitoring ]: - enable Dependabot alerts on every repo (free, takes 2 minutes) - install or Snyk for live vulnerability scanning - subscribe to the npm and PyPI security advisory feeds - follow @snyksec, @socketsecurity, @stepsecurity for early warnings [ 9. how to detect if you got the TanStack payload ]: if you installed any @tanstack/* package between 19:20 and 19:30 UTC on Monday, May 11, treat the host as compromised the detection signature: a malicious manifest contains "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee#..." } any version with this entry is compromised. the payload is delivered via the git-resolved optionalDependency, whose prepare script runs router_init.js (~2.3 MB, smuggled into the tarball root) how to check fast: - search your lockfile for `@tanstack/setup` references - search node_modules for any `router_init.js` file - if either shows up, jump to section 10 immediately future attacks will use the same trick: malicious code hidden in optionalDependencies or postinstall/prepare scripts. add `grep -r "postinstall\|prepare" node_modules/*/package.json | grep -iE "curl|wget|eval|base64"` to your weekly audit routine [ 10. emergency response if you're already compromised ]: ran an install during a suspected attack window? do this in this exact order: - rotate every cloud credential: AWS, GCP, Kubernetes service accounts, Vault tokens - rotate GitHub personal access tokens, OAuth tokens, SSH keys - revoke active sessions on GitHub, npm, PyPI, all cloud providers - audit AWS / GCP / Kubernetes / Vault audit logs for the last several hours, look for unauthorized API calls - pin to the last known-good version of every @tanstack package and reinstall from a clean lockfile - check ~/.npm, ~/.config, browser cookie stores for tampered files - wipe ~/.bash_history, ~/.zsh_history, local AI chat logs that might have secrets - if you ran the install as root or with sudo: nuke the machine, reinstall from scratch, restore code from git only [ why this matters right now ]: attack chains in supply chain hacks usually only last a few hours before the malicious package gets caught and yanked. during those hours, every developer running `npm install` becomes a victim worse: npm couldn't even UNPUBLISH most of the TanStack malicious versions because of third-party dependencies. the registry's own safeguards are part of the problem. you can't rely on the platform, you have to protect yourself the patterns from the last 18 months: - npm: TanStack on May 11 (42 packages, AWS/GCP/Vault credentials), Shai-Hulud worm hit Nx packages, chalk/debug/ansi-styles worm hit qix maintainer - GitHub Actions: tj-actions/changed-files compromise exposed thousands of repos' secrets - PyPI: ongoing typosquatting campaigns targeting AI/ML packages - IDE extensions: VSCode marketplace caught hosting credential stealers the frequency is rising because the payoff is massive one compromised package lands on millions of machines in hours if you don't lock this down tonight, you're exposed to the next one. and there will be one 30 minutes tonight, or wait for the next attack to clean out your machine Full TanStack breakdown:

I am the Managing Director of Workforce Transition at a consulting firm that bills $14,200 per day and I am currently advising two clients, in two different industries, running the same playbook from the same deck I built in January, and neither knows about the other. Client A is GitLab. Client B is General Motors. GitLab makes software for people who make software. General Motors makes cars for people who can't afford cars. Both companies, in the same week of May 2026, announced they are replacing their human employees with artificial intelligence products that did not exist when those employees were hired. I built the deck. The deck has 44 slides. Slide 1 is titled "The Agentic Opportunity." Slide 44 is titled "Implementation Timeline." Slides 2 through 43 are the reason I own a house in Darien. GitLab did it with vocabulary. Their CEO published a blog post called "Act 2" on May 7 announcing that the company's six values (Collaboration, Results for Customers, Efficiency, Diversity Inclusion & Belonging, Iteration, Transparency) were being retired and replaced with three: Speed with Quality, Ownership Mindset, Customer Outcomes. I helped write the new ones. Not directly. My firm was not retained for the values work. But I sold the Chief Culture Officer the framework three months ago at a dinner in the Marina where she described the old values as "aspirational scaffolding" and I said, very carefully, that aspirational scaffolding is a liability once the building is up. The building, in this metaphor, is a $1 billion ARR company whose stock has declined 82% from its peak. The scaffolding, in this metaphor, is the 2,000-page public handbook that attracted the employees who are now being told they have eleven days to volunteer for termination or wait until June 1 to learn whether they've been involuntarily selected. The rubric for who stays and who goes contains six dimensions. I know this because I reviewed a draft in March when my associate flew to San Francisco for a "culture alignment session" that was billed as strategic advisory. Two of the six dimensions are "AI fluency" and "agentic mindset." These terms did not appear in any GitLab job description before January 2026. They now determine employment. An engineer who maintained GitLab's CI/CD pipeline for four years without incident — four years of uptime, four years of deployments, four years of the infrastructure that generated the $955 million in revenue the CEO celebrated on the earnings call — may score lower on "agentic mindset" than a new hire who completed a twelve-week certificate in prompt engineering from a program that itself has existed for fewer weeks than the engineer has years of tenure. General Motors did it with spreadsheets. Monday morning, May 11. Badge deactivation at 5:47 AM Eastern, building access at 5:48, VPN credentials at 5:49. Six hundred IT workers across twelve states. The distribution across twelve states was not arbitrary. Each state has a WARN Act notification threshold. Six hundred distributed across twelve states falls below every threshold. The workforce analytics team that designed the distribution model was not among the six hundred terminated. The skill of distributing layoffs across jurisdictions to avoid legal notification requirements is, apparently, an AI-native competency. GM posted 83 new positions the same week. The job descriptions require "AI-native development, data engineering and analytics, cloud-based engineering, agent and model development, and prompt engineering." I reviewed them at my client's request. Several describe roles that the terminated employees were already performing under different names. One posting, Senior Data Integration Architect, is identical to a role held by a woman in their Austin office who was terminated at 5:47 AM Central. She held the position for nine years. The new posting requires three years of experience with large language models. Large language models have existed in commercial deployment for approximately three years. The requirement is mathematically designed to exclude anyone who learned their skills before the technology existed. Which is everyone they just fired. Here is where the deck earns its fee. Slide 17 is titled "The Vocabulary Bridge." It is the most important slide in the presentation. It shows how to construct a lexicon of new competency terms ("AI fluency," "agentic mindset," "AI-native development") that describe existing work in language the existing workforce cannot claim. The vocabulary does not change the job. It changes who is qualified for the job. A senior IT administrator who managed SAP infrastructure processing $185 billion in annual GM revenue for fifteen years is not "AI-native." A twenty-six-year-old with a GitHub portfolio of LangChain wrappers is. The fifteen-year veteran did the work. The twenty-six-year-old has the words. My deck converts one into the other. That is the bridge. GitLab Duo, their AI agent platform, reached general availability on January 15, 2026. Seventeen weeks ago. They are restructuring their entire company around a product that has existed for seventeen weeks. GitHub Copilot has 20 million users and 4.7 million paid subscribers across 90% of the Fortune 100. Cursor reached $2 billion in annualized revenue in February. GitLab's competitor advantage in the "agentic era" is that they are willing to fire more people faster in service of a product that has been generally available for fewer days than their voluntary separation window has hours of anxiety. General Motors spent $10 billion on Cruise, their autonomous vehicle division. Cruise's signature achievement was a robotaxi that struck a pedestrian in San Francisco and dragged her twenty feet. The DOJ fined them $500,000. They settled with the victim for approximately $10 million. They killed the division in December 2024. They then wrote down $7.6 billion in EV losses. They then pivoted back to gasoline. They then announced the 600 IT layoffs for insufficient "AI skills." The AI they built cost $10 billion and injured a woman. The AI skills they're hiring for cost a twelve-week certificate. The employees they fired had fifteen years of keeping $185 billion in revenue processing without dragging anyone through an intersection. Meanwhile — and this is the part where I earn the second half of my fee — GM was simultaneously settling a $12.75 million fine with the California Attorney General for selling the precise GPS coordinates, hard braking events, and real-time driving speeds of 8 million OnStar subscribers to Verisk Analytics and LexisNexis, who used the data to raise those drivers' insurance premiums. GM's privacy policy explicitly stated they did not sell driving data. They sold driving data for four consecutive years. The fine was $12.75 million. The revenue was $20 million. The margin on collecting behavioral telemetry from 8 million of your own customers while the glove compartment manual said otherwise was 64%. The terminated employees' median salary was $95,111. Mary Barra's compensation was $29.9 million. The ratio is 310 to 1. The 1 was just reclassified as "not AI-native." I present these two clients to my partners every Thursday in a meeting we call "Transition Pipeline Review." I present them on the same slide. The slide has two columns. Left column: GitLab. Right column: General Motors. The headers are identical. "Legacy Workforce," "Skills Gap Narrative," "Vocabulary Bridge Deployed," "Separation Timeline," "Replacement Requisitions." The numbers differ. The structure is identical. The structure is always identical. I have seventeen clients in the pipeline. Nine are in technology. Four are in manufacturing. Two are in financial services. One is in healthcare. One is in defense. All seventeen are on slide 17. All seventeen are building a vocabulary bridge. All seventeen are replacing employees who have skills with employees who have words. GitLab's CEO wrote: "Software will be built by machines, directed by people." I read that sentence in a meeting where we were reviewing the rubric for determining which people would be directed out of the company. GM's Chief Product Officer arrived from Aurora, the autonomous trucking startup, to "consolidate disparate technology businesses." Three top software executives departed within six months. Their LinkedIn profiles say "exploring new opportunities" in the same font GM's privacy policy used to say "we do not sell your driving data." Bill Staples's compensation at GitLab was $39.1 million in FY2025. His change-of-control payout is modeled at $47.4 million. Mary Barra's was $29.9 million. Combined: $69 million for two executives presiding over a restructuring that will remove an undisclosed number of humans from payroll and replace them with products that are, respectively, seventeen weeks old and responsible for $10 billion in losses plus one woman dragged through a San Francisco intersection. An anonymous GitLab employee posted on Hacker News: "The employees can have some anxiety until then. As a treat." A GM facilities team filed a maintenance request about moisture on the lobby tables on restructuring mornings. The Warren, Michigan campus has a Panera Bread that opens at 5:30 AM on days when badge deactivations begin at 5:47 AM. The Panera does not know why its hours change. My firm does. We have an agreement with their regional manager. The muffins are complimentary. Slide 17 has a footnote. The footnote says: "Vocabulary Bridge deployment should precede workforce action by 60-90 days to establish institutional legitimacy of new competency framework." GitLab introduced "AI fluency" in January. The restructuring was announced in May. Four months. GM posted "AI-native" job descriptions the same week as the terminations. That is too fast. That is not what the deck recommends. GM skipped the legitimacy window. They went straight from vocabulary to separation without the 60-day buffer that allows HR to say, in the separation meeting, "we communicated these expectations in Q1." I flagged this in my Thursday pipeline review. My partner said, and I am quoting: "They'll be fine. Nobody sues over a word." My deck has been purchased by seventeen companies. The aggregate headcount affected across all seventeen is approximately 14,000 employees. The aggregate revenue of my practice from these engagements is $11.2 million. The per-employee cost of my advisory services works out to $800 per person displaced. That is less than the Panera muffin budget at GM's Warren campus annualized across restructuring days. I have a copy of GitLab's original values poster framed in my office. It says CREDIT: Collaboration, Results for Customers, Efficiency, Diversity Inclusion & Belonging, Iteration, Transparency. I purchased it on eBay from someone whose seller name is "gitlab-alum-2024." I keep it the way a surgeon keeps an X-ray of a interesting case. Not for sentiment. For reference. Slide 44 is titled "Implementation Timeline." It contains a Gantt chart. The Gantt chart has seventeen rows, one per client. Each row has four phases: Vocabulary Introduction, Competency Reassessment, Workforce Action, Replacement Hiring. The phases overlap. They always overlap. The vocabulary is introduced while the competency reassessment is being designed. The reassessment is completed while the workforce action is being calendared. The replacement hiring is posted while the terminated employees are sitting in a Panera at 5:48 AM wondering whether "AI-native" was a term that existed when they were hired. It was not. That is the bridge. That is the product. That is slides 2 through 43. The agentic era is not a technological shift. It is a vocabulary shift. The technology is seventeen weeks old or $10 billion underwater or dragging someone through an intersection. The vocabulary is what my clients are buying. The vocabulary is what makes a fifteen-year SAP administrator into a "legacy workforce" and a twelve-week prompt certificate into a "transition hire." The vocabulary is the product. I am the vendor. The deck is $14,200 per day. The agentic era starts on slide 1 and ends on slide 44 and in between is every employee who built the thing now being renamed to exclude them. I bill monthly. Net 30. The invoices are paid on time. The employees are not.