TanStack and Mistral npm Packages Compromised in Mini Shai-Hulud Supply Chain Attack
May 11, 2026
Microsoft Patches Critical ASP.NET Core DataProtection Flaw That Breaks Cryptographic Signatures
April 23, 2026
Vercel got breached. Here is what that means for everyone downstream.
April 19, 2026
When the System Built to Warn Us Can No Longer Keep Pace
April 15, 2026
Your AI Agent Remembers Your Secrets
April 13, 2026
Your Home Directory is a Secret Goldmine for Attackers
April 6, 2026
When a core npm dependency becomes the attack path: lessons from the Axios compromise
March 31, 2026
When the AI dependency becomes the attack path: lessons from the LiteLLM PyPI compromise
March 24, 2026
When the security scanner becomes the attack path: lessons from the Trivy compromise
March 23, 2026
Critical Path Traversal Vulnerability in jsPDF Library (CVE-2025-68428)
January 6, 2026
MongoBleed: Unauthenticated Memory Disclosure in MongoDB (CVE-2025-14847)
December 27, 2025
Critical Remote Code Execution in n8n Workflow Automation: CVE-2025-68613
December 19, 2025
The Return of Shai-Hulud: npm's Worm Strikes Back
November 24, 2025
Critical Chrome Zero-Day Exploited: Google Rushes Emergency Patch for CVE-2025-0411
October 28, 2025
Critical Remote Code Execution Vulnerability in React Server Components
December 3, 2025
Supply Chain SecurityMay 11, 20267 min read

TanStack and Mistral npm Packages Compromised in Mini Shai-Hulud Supply Chain Attack

On May 11, 2026, a self-propagating npm worm infected 84 package versions across the @tanstack and @mistralai namespaces, along with over a dozen others. Here is how the attack worked, what was hit, and what to do if you installed any of these packages today.

On May 11, 2026, at approximately 19:20 UTC, a wave of malicious npm package versions began appearing in the registry. Within six minutes, 84 package artifacts had been published across the @tanstack namespace. What followed was quickly confirmed as the latest wave of Mini Shai-Hulud, a self-propagating supply chain worm attributed to a group called TeamPCP, with damage extending well beyond TanStack alone.

TanStack packages like @tanstack/react-router see over 12 million weekly downloads. The Mistral AI SDK is installed across a significant share of AI-integrated Node.js applications. If you ran npm install against the latest tag on any of these packages today, there is a good chance you pulled in something you did not intend.

How the worm gets in

The entry point is a standard npm feature: preinstall scripts. When you install a package that defines a preinstall hook, npm runs that script automatically before placing the package into node_modules. No prompt, no confirmation. It just runs.

The compromised versions used that hook to download and install the Bun JavaScript runtime. Bun sidesteps the monitoring and logging that typically wraps Node.js process execution in CI environments, and the choice appears deliberate. Once Bun was in place, it executed a 2.3 MB obfuscated payload embedded in the package itself.

The whole sequence, from npm install to payload execution, happens silently, in the background, before your build even starts.

What the payload does

The obfuscated payload is a credential harvesting engine with two jobs: steal everything it can find, then spread.

It reads GitHub Actions runner process memory to extract environment secrets, then walks over 100 file paths looking for credentials across cloud providers (AWS IMDS, Secrets Manager, SSM; HashiCorp Vault; Kubernetes service accounts), cryptocurrency wallets, AI developer tools, and messaging applications. Whatever was accessible to the process running your install step, it tried to take.

Exfiltration routes the harvested data through two channels: the Session Protocol decentralized messaging network, with the full Session protocol stack bundled inside the payload, and GitHub’s own GraphQL API. Through the GraphQL channel, the worm authors dead-drop stolen data in commits disguised as Dependabot dependency updates, using branch names drawn from the Dune universe.

To spread, the payload steals the npm OIDC token available in the GitHub Actions environment and uses it to publish infected versions of every package the compromised maintainer controls. That is how 84 artifacts appeared within six minutes: one maintainer account was enough to create the cascade.

The payload also installs persistence hooks into Claude Code, VS Code, and OS-level services that survive reboots. On a developer workstation, the exposure window is considerably longer than on a clean CI runner.

What makes this one different

This wave of Mini Shai-Hulud is the first documented npm worm to produce validly-attested malicious packages. The compromised packages carry valid SLSA Build Level 3 provenance attestations, a mechanism designed to give users confidence that a package was built from a known source with a trusted pipeline.

The worm published through the legitimate GitHub Actions pipelines of the accounts it compromised, using stolen OIDC tokens. The attestations are genuine. They attest to a build pipeline that had already been taken over. Provenance attestations verify the build process; they say nothing about whether the actor running that pipeline still has control of their account. This incident draws a clear line between those two things.

What was compromised

The confirmed affected namespaces and packages include:

  • @tanstack: 42 packages, 84 versions, including @tanstack/react-router and related packages published May 11, 2026
  • @mistralai/mistralai: versions 2.2.2, 2.2.3, 2.2.4
  • @mistralai/mistralai-azure: versions 1.7.1, 1.7.2, 1.7.3
  • @mistralai/mistralai-gcp: versions 1.7.1, 1.7.2, 1.7.3
  • Other affected namespaces: @squawk, @uipath, @tallyui, @beproduct, @draftlab, @draftauth, @taskflow-corp, @tolka, and several unscoped packages

TanStack maintainers moved quickly. Tanner Linsley confirmed the compromise on X and the team began running unpublish scripts and shutting down their publishing pipelines within hours of detection. That work was underway on the same evening the attack hit.

What teams should do

If you run any of the affected packages, the steps are reasonably straightforward. All of them need to happen, not just the first.

  • Check your lock file immediately. If your package-lock.json or yarn.lock pins any @tanstack or @mistralai package version published on May 11, 2026, treat that installation as compromised.
  • Pin to a pre-compromise version. For TanStack packages, the last safe versions are those published before May 11, 2026. Check the npm release history for each package. For Mistral, avoid 2.2.2–2.2.4 and 1.7.1–1.7.3 across the Azure and GCP variants.
  • Rotate all CI/CD secrets immediately. GitHub Actions secrets, AWS credentials, Vault tokens, Kubernetes service account keys. Assume anything accessible to a process running on the affected runner is compromised. Rotate first, investigate after.
  • Audit GitHub Actions logs for unexpected Bun installations, outbound connections to Session Protocol infrastructure, or Dependabot-styled commits you did not initiate.
  • If the install ran on a developer machine, check for persistence hooks in ~/.claude/, VS Code extension directories, and OS-level startup services. The payload explicitly targets those locations.
  • Audit transitive dependencies. You may not directly depend on @tanstack/router, but something you depend on might. Check the full resolved dependency tree, not just your direct dependencies.
  • Re-examine packages published from your own accounts today. If a compromised package infected a CI pipeline you share with your own npm account, the worm may have used your publishing credentials too.

The credential rotation step is the one most likely to get skipped in the rush to pin the right package version. Pinning the dependency stops further infection. Rotating credentials closes the window on whatever was already taken.

This incident also surfaces a broader preparedness gap. Knowing that TanStack was compromised is easy once the reports are public. Knowing whether your specific lock file, across every service and monorepo your team runs, pulled in any of the 84 affected artifacts through transitive paths two or three hops deep is a different problem entirely. Teams that had complete dependency inventory across their builds were able to answer that question in minutes. Teams that had to trace dependencies manually spent hours on triage that could have been spent on remediation.

The pattern of Mini Shai-Hulud suggests future waves are likely. Having your dependency graph mapped before an incident lands is what turns a multi-hour fire drill into a focused, bounded response.