Session Messenger: Privacy Pioneer Caught in the Crossfire of a Major Supply Chain Attack
Session Messenger: Privacy Pioneer Caught in the Crossfire of a Major Supply Chain Attack
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Session Messenger: Privacy Pioneer Caught in the Crossfire of a Major Supply Chain Attack
How a legitimate, decentralized encrypted messenger became an unwilling accomplice in one of 2026’s largest open-source supply chain worms — and why the blocks don’t change what Session fundamentally is.
What Is Session?
Session (getsession.org) is an open-source, end-to-end encrypted messaging application built from the ground up for anonymity and privacy. Unlike Signal, WhatsApp, or Telegram, Session requires no phone number, no email address, and no personal identifier of any kind to create an account. Users are identified solely by a cryptographic public key — a 66-character alphanumeric Session ID.
The app routes all messages through an onion-style network of thousands of community-operated nodes called the Session Node Network, making it structurally impossible for any single node — or any organization — to see both who is sending a message and who is receiving it. Its tagline is precise: “Send Messages, Not Metadata.”
With over three million active users, Session is trusted by activists, investigative journalists, whistleblowers, and privacy-conscious users worldwide. In October 2024, stewardship of the project transferred from the Australia-based Oxen Privacy Tech Foundation to the Switzerland-based Session Technology Foundation.
The Mini Shai-Hulud Supply Chain Attack
In May 2026, the cybersecurity world was shaken by one of the most sophisticated and far-reaching supply chain attacks ever documented. The attack — attributed to a threat actor group called TeamPCP and named “Mini Shai-Hulud” after the sandworms of Frank Herbert’s Dune — struck directly at the heart of the open-source developer ecosystem.
Attack Timeline
The attacker creates a forked copy of the TanStack/router GitHub repository under an obscure account name (zblgg/configuration), chosen deliberately to evade fork-list searches.
In a six-minute window, 84 malicious package versions are published across 42 @tanstack/* npm packages — including @tanstack/react-router, which receives over 12.7 million weekly downloads. The packages pass all cryptographic provenance checks and carry valid SLSA attestations.
The self-propagating worm spreads to Mistral AI, UiPath, OpenSearch, Guardrails AI, and over 160 additional npm and PyPI packages — all through automated self-propagation using stolen OIDC tokens.
The campaign expands to PyPI. Two Python packages are compromised: mistralai==2.4.6 and guardrails-ai==0.10.1. PyPI quarantines the mistralai project.
Security firms publish advisories. By end of day, over 170 packages and 400+ malicious versions are documented. TanStack publishes its full postmortem on May 15.
How the Attack Worked
The attack chained three vulnerabilities in the GitHub Actions pipeline. First, the attacker exploited the pull_request_target “Pwn Request” pattern to execute code from a forked repository inside TanStack’s trusted CI environment. Second, it poisoned GitHub Actions’ shared cache with attacker-controlled binaries. Third, those binaries read directly from the GitHub Actions runner’s process memory — /proc/<pid>/mem — to extract a short-lived OIDC token, which was then used to publish malicious packages through TanStack’s own trusted release pipeline.
The malicious packages passed every standard security check: valid npm SLSA provenance, valid Sigstore cryptographic certificates, and verified GitHub OIDC origin. This was the first documented case of malicious packages carrying valid Build Level 3 provenance attestation — making them indistinguishable from legitimate releases by any automated tool.
Once installed in a developer or CI environment, the payload ran silently. The worm harvested an extraordinarily broad range of credentials: AWS and GCP cloud keys, Kubernetes service account tokens, HashiCorp Vault tokens, SSH keys, GitHub PATs, npm publish tokens, and even API keys stored in AI coding agent configurations such as ~/.claude.json and MCP server config files. A particularly dangerous daemon polled GitHub every 60 seconds and, if a monitored token was revoked, attempted to wipe the entire user home directory with rm -rf ~/.
Where Session Comes In: Exfiltration via the Oxen Network
To send the stolen data back to its operators without being detected, TeamPCP made a technically sophisticated and deliberate choice: instead of using a traditional command-and-control (C2) server that could be identified and shut down, the malware used Session’s decentralized file upload network as its exfiltration channel.
Stolen credentials were encrypted and transmitted to the following Session infrastructure domains:
- filev2.getsession.org
- seed1.getsession.org
- seed2.getsession.org
- seed3.getsession.org
The strategic reasoning was explained by Wiz in its analysis: Session’s onion-based service nodes route traffic in a way that is end-to-end encrypted and “indistinguishable from encrypted messaging app telemetry.” There is no attacker-controlled server to take down. The network is decentralized by design, and takedown-resistant by nature — properties that protect legitimate users from censorship and that made it, simultaneously, an ideal covert channel for data theft.
As the TanStack postmortem confirmed, because the traffic was routed through Session’s onion network, IP-level blocking was entirely ineffective. DNS-level blocking of *.getsession.org was the only practical network-layer mitigation available to defenders.
The Security Response: Who Blocked getsession.org?
The response from the security community was swift and broad. Multiple major organizations independently recommended blocking *.getsession.org at the DNS or proxy level as part of their incident response guidance.
- Orca Security — Included
*.getsession.orgexplicitly in its published indicators of compromise (IOCs) and remediation advisory, alongsidegit-tanstack[.]comand the attacker’s IP address. - Wiz — Documented the Session network as the primary novel exfiltration channel and recommended DNS-level blocking as the only effective mitigation.
- Snyk — Confirmed that
filev2.getsession.organdseed{1,2,3}.getsession.orgwere the main data exfiltration endpoints and advised DNS blocking across all subdomains. - StepSecurity — The firm that first detected the attack, publishing Session infrastructure domains as IOCs and recommending they be blocked at the network perimeter.
- SOC Prime — Advised defenders to block outbound traffic to
filev2.getsession.orgas part of a broader containment strategy. - Strobes — Included
.getsession.orgin its published DNS/proxy block list alongside other known attacker infrastructure. - Wordfence — Added
getsession.organd related subdomains to its Real-time IP Blocklist through its Threat Defense Feed, protecting WordPress server environments that may have been running compromised developer toolchains. - HaGeZi DNS Blocklists — A widely-used community DNS blocklist project received a formal request to include
filev2.getsession.org, with users reporting that blocking produced no disruptions to legitimate operations.
These blocks are defensive measures targeting an active attack’s communication pathway — not judgments that Session is malicious software. Every organization’s advisory made this distinction explicit. The blocks may be revisited or narrowed once the immediate threat is contained.
Collateral Blocking: Session Is Not the Villain
It bears stating clearly: Session did not do anything wrong. The app was not hacked. Its code was not modified. Its users’ messages were not exposed. TeamPCP did not exploit a vulnerability in Session — they exploited Session’s legitimacy.
The attackers’ logic was precisely the inverse of what the blocks might imply: they chose Session’s infrastructure because it would not be blocked by most enterprise firewalls. They were counting on Session’s reputation as a legitimate privacy tool to fly under the radar. That gamble failed when security researchers mapped the exfiltration routes.
This situation has a well-established precedent in security history. Tor, Signal, VPNs, and legitimate file-sharing protocols have all been “blocked” by enterprise firewalls and government filters at various times — not because those tools are malicious, but because their privacy properties make them attractive to both legitimate users and bad actors simultaneously. The blocks say something about the attack, not about Session.
Session’s Genuine Privacy Advantages
Setting aside the supply chain incident, Session occupies a genuinely distinct position in the encrypted messaging landscape. Its design philosophy — prioritizing network-level metadata resistance above all else — leads to structural advantages that no centralized messenger can replicate.
Account creation requires zero personal identifiers. Users receive a randomly generated cryptographic Session ID. Signal, WhatsApp, and Telegram all require a phone number, tying accounts to real-world identities.
No registration database. No phone number graph. No contact list uploaded to a server. No central authority capable of reconstructing who communicates with whom — unlike even Signal, which logs account creation timestamps and last connection dates.
Messages travel through a three-hop path of service nodes. No single node sees both sender and recipient IP addresses. Users’ physical locations are structurally hidden at the network layer.
No company-owned central servers to subpoena, shut down, or hack. Thousands of independent community nodes distribute storage and routing, eliminating single points of failure and control.
With no central server to block, Session is inherently resistant to government-ordered shutdowns — a critical property for users in repressive environments where other messengers can be simply turned off.
Session’s new protocol (in development as of December 2025) adds Perfect Forward Secrecy and post-quantum cryptography while preserving all decentralization and anonymity properties — addressing a key prior criticism.
Comparative Feature Overview
| Feature | Session | Signal | Telegram | |
|---|---|---|---|---|
| No phone number required | ✓ | ✗ | ✗ | ✗ |
| End-to-end encryption by default | ✓ | ✓ | ✓ | Partial* |
| Zero metadata collection | ✓ | Minimal | ✗ | ✗ |
| IP address hidden from servers | ✓ | ✗ | ✗ | ✗ |
| Decentralized infrastructure | ✓ | ✗ | ✗ | ✗ |
| Open source | ✓ | ✓ | ✗ | Partial |
| Censorship resistant | ✓ | ✗ | ✗ | ✗ |
| Perfect Forward Secrecy (V2) | In dev. | ✓ | ✓ | Secret only |
* Telegram encrypts messages end-to-end only in manually initiated “Secret Chats.” Standard chats and all group chats are stored server-side with keys Telegram controls.
Known Trade-offs
Session’s privacy-first architecture involves genuine trade-offs that users should understand. Onion routing adds latency — messages are slightly slower than direct-connection alternatives. Peer-to-peer voice and video calls currently expose participant IP addresses to each other, a limitation Session’s documentation openly acknowledges. And until Protocol V2 is fully deployed, Session lacks the Perfect Forward Secrecy that Signal provides, meaning a compromised long-term private key could theoretically expose intercepted past messages. These are real considerations, not dealbreakers — they reflect deliberate design choices that prioritize anonymity and decentralization.
Conclusion: The Privacy Paradox
The Mini Shai-Hulud attack reveals an uncomfortable but important truth about privacy technology: the properties that make a tool excellent for protecting legitimate users are often the same properties that make it attractive for abuse. Session’s decentralization, its onion routing, its resistance to takedown — all of these are features, not flaws. They protect dissidents in authoritarian states with exactly the same mechanism that protected stolen AWS credentials for a few hours in May 2026.
Security organizations were right to block *.getsession.org as an emergency defensive measure. And Session remains exactly what it has always been: a serious, carefully designed, decentralized encrypted messenger that goes further than any mainstream alternative to protect user anonymity at the network layer.
getsession.org is the official, legitimate website of Session Messenger. The domain’s inclusion in security blocklists is a form of collateral blocking in response to an active attack — analogous to blocking a legitimate courier service because criminals used it to ship stolen goods. The blocks reflect the attack, not Session’s integrity as software. Session continues to serve millions of users for whom metadata-resistant, phone-number-free, censorship-resistant communication is not a luxury but a necessity.
