THREAT OPS › Threat News › TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack
TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack
On May 11, 2026, the Mini Shai-Hulud worm compromised 84 npm package artifacts across 42 @tanstack/* packages (as well as @squawk/*, @mistralai/* packages, and others) by chaining a GitHub Actions "Pwn Request," cache poisoning, and OIDC token extraction from runner memory — producing the first npm supply chain attack with valid SLSA Build Level 3 attestations. Here's what happened, what was stole
Original source: https://snyk.io/blog/tanstack-npm-packages-compromised/