Mini Shai-Hulud Hits TanStack npm Packages

https://www.infosecurity-magazine.com/news/mini-shai-hulud-tanstack-npm/

Publish Date: 2026-05-29 02:44:24

Source Domain: www.infosecurity-magazine.com

Summary:

A sophisticated supply chain attack attributed to the Mini Shai-Hulud campaign compromised dozens of TanStack npm packages, posing a significant threat to developer ecosystems. The attackers took advantage of legitimate release pipelines to publish hundreds of malicious versions of npm packages, primarily between mid-April and mid-May. The malicious packages targeted continuous integration systems including GitHub Actions and had the potential to steal credentials. Analysis by Socket identified malicious versions of 84 npm packages within the TanStack namespace, including @tanstack/react-router, which sees significant downloads. The attack incorporated various techniques, such as GitHub Actions cache poisoning to execute the compromised code upon installation. The attack spread beyond TanStack to include packages in UiPath, Mistral AI, OpenSearch, and PyPI. The GitHub Advisory Database rated the issue as critical and recommended developers and continuous integration systems affected by the May 11, 2026, attacks to rotate credentials and review related cloud audit logs for security breaches.

Key Points:

A supply chain attack by Mini Shai-Hulud compromised 84 TanStack npm packages, targeting continuous integration systems.
The attack used techniques such as GitHub Actions cache poisoning and runtime extraction of OpenID Connect tokens.
Malicious package versions distributed a large, obfuscated payload designed to steal credentials.
The compromised TanStack packages involved valid SLSA provenance attestations, leveraging legitimate release processes.
The attack affected various developer ecosystems, including GitHub, GitLab, AWS, Google Cloud Platform, and others.