A new wave of the Mini Shai-Hulud campaign compromised dozens of TanStack npm packages as part of a broader supply chain attack affecting developer ecosystems, including packages tied to UiPath, Mistral AI, OpenSearch and PyPI.
In April, Mini Shai‑Hulud initially targeted SAP‑related packages before culminating into its largest wave in mid‑May, where attackers have hijacked legitimate release pipelines to publish hundreds of malicious package versions.
According to new analysis by Socket, 84 npm package artifacts in the TanStack namespace were modified with suspected credential-stealing malware targeting continuous integration systems, including GitHub Actions.
At least one affected package, @tanstack/react-router, receives more than 12 million weekly downloads, Socket claimed.
How the TanStack Compromise Worked
TanStack said the attacker published 84 malicious versions across 42 @tanstack/* packages on May 11, 2026, between 19:20 and 19:26 UTC.
The project said the attack chained the pull_request_target “Pwn Request” pattern, GitHub Actions cache poisoning and runtime extraction of an OpenID Connect (OIDC) token from runner process memory.
“No npm tokens were stolen and the npm publish workflow itself was not compromised,” TanStack clarified.
The malicious package versions contained a newly added router_init.js file. Socket described the file as a heavily obfuscated 2.3MB payload with daemonization, access to GitHub-related environment variables, temporary file staging and remote dispatch behavior.
Read more on npm supply chain attacks: Shai-Hulud-Like Worm Targets Developers via npm and AI
Socket also identified an optionalDependencies entry that resolved to an orphan commit in the TanStack/router repository. That commit introduced a package named @tanstack/setup and a prepare lifecycle hook, allowing code to execute automatically during installation.
StepSecurity said the compromised packages carried valid SLSA Build Level 3 provenance attestations because the attacker abused the legitimate release pipeline.
“SLSA provenance confirms which pipeline produced the artifact, not whether the pipeline was behaving as intended,” the company said. “A compromised build step can produce a validly-attested but malicious package.”
Campaign Spreads Across npm and PyPI
Wiz attributed the activity with high confidence to TeamPCP, which it linked to earlier compromises affecting SAP, Checkmarx, Bitwarden, Lightning, Intercom and Trivy.
The Wiz analysis said the payload targets GitHub Actions OIDC, GitLab, CircleCI, AWS, Google Cloud Platform, Azure, Kubernetes, HashiCorp Vault and package registry tokens.
The malware used three exfiltration routes, according to Wiz:
-
Typosquat domain git-tanstack[.]com
-
Session messenger network
-
GitHub API dead drops using stolen tokens
Wiz also observed a gh-token-monitor daemon on developer machines. The daemon polled GitHub every 60 seconds and could attempt to wipe the user’s home directory if a monitored token was revoked, although Wiz said it exited automatically after 24 hours.
The campaign later expanded beyond TanStack. Socket said additional compromised artifacts included OpenSearch npm versions, PyPI mistralai 2.4.6, PyPI guardrails-ai 0.10.1 and further @squawk packages.
The GitHub Advisory Database rated the TanStack issue critical and warned that any developer or continuous integration environment that installed an affected version on May 11, 2026, should be considered compromised.
It advised rotating credentials reachable from the install process and reviewing cloud audit logs for activity from affected hosts.
