THREATOPS
THREAT OPSThreat News › TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack

TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack

infosnykPublished 2026-05-11

On May 11, 2026, the Mini Shai-Hulud worm compromised 84 npm package artifacts across 42 @tanstack/* packages (as well as @squawk/*, @mistralai/* packages, and others) by chaining a GitHub Actions "Pwn Request," cache poisoning, and OIDC token extraction from runner memory — producing the first npm supply chain attack with valid SLSA Build Level 3 attestations. Here's what happened, what was stole

Original source: https://snyk.io/blog/tanstack-npm-packages-compromised/