Futures
Access hundreds of perpetual contracts
CFD
Gold
One platform for global traditional assets
Options
Hot
Trade European-style vanilla options
Unified Account
Maximize your capital efficiency
Demo Trading
Introduction to Futures Trading
Learn the basics of futures trading
Futures Events
Join events to earn rewards
Demo Trading
Use virtual funds to practice risk-free trading
Launch
CandyDrop
Collect candies to earn airdrops
Launchpool
Quick staking, earn potential new tokens
HODLer Airdrop
Hold GT and get massive airdrops for free
Pre-IPOs
Unlock full access to global stock IPOs
Alpha Points
Trade on-chain assets and earn airdrops
Futures Points
Earn futures points and claim airdrop rewards
Promotions
AI
Gate AI
Your all-in-one conversational AI partner
Gate AI Bot
Use Gate AI directly in your social App
GateClaw
Gate Blue Lobster, ready to go
Gate for AI Agent
AI infrastructure, Gate MCP, Skills, and CLI
Gate Skills Hub
10K+ Skills
From office tasks to trading, the all-in-one skill hub makes AI even more useful.
GateRouter
Smartly choose from 40+ AI models, with 0% extra fees
删了毒包也没用:MiniShai-Hulud波及TanStack、OpenSearch和Mistral客户端
According to Beating monitoring, a spyware worm called “Mini Shai-Hulud” (the sandworm from Dune) is sweeping through the front-end and AI back-end ecosystems. On May 12 from 3:20 to 3:26 (UTC+8) in the early morning, the attacker TeamPCP hijacked TanStack’s official published pipeline and pushed 84 malicious versions of 42 official packages to npm, including @tanstack/react-router with weekly downloads in the tens of millions. The worm then spread across to PyPI as well; the latest affected list includes Amazon @opensearch-project/opensearch (npm, 1.3 million weekly downloads), Mistral’s official client mistralai, and the AI safety guardrails tool guardrails-ai (all on PyPI).
Malicious packages look exactly like legitimate releases. The attackers did not steal any long-term credentials; instead, they exploited a GitHub Actions configuration vulnerability to hijack the official pipeline and obtain legitimate temporary publishing permissions. As a result, the malicious packages received real SLSA build provenance signatures (provenance)—a form of anti-counterfeiting label that proves “the package was indeed produced by the official pipeline.” The “signed = safe” logic that developers previously relied on was completely bypassed.
Even worse, uninstalling the infected packages is far from enough. Reverse analysis by Socket.dev shows that after the worm is installed, it writes itself into Claude Code’s execution hooks (.claude/settings.json) and VS Code’s task configuration (.vscode/tasks.json) in the background. Even if the malicious packages are deleted, the malicious code will automatically resurrect as soon as the developer later opens the project directory or wakes up the AI assistant. The Python side has an even lower trigger threshold: developers do not need to call any functions at all—simply importing the infected package will silently activate the spyware.
TeamPCP posted a mocking message on the spoofed domain git-tanstack[.]com used to deliver the payloads: “We’ve already stolen credentials online for more than two hours, but I’m here just to say hi :^)”. The worm is still self-propagating. Machines that installed the affected packages during the window above should be treated as compromised: immediately rotate all credentials such as AWS, GitHub, npm, SSH, and more; thoroughly investigate the .claude/ and .vscode/ directories; and reinstall from a clean lockfile.