Mini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised
A supply chain campaign called "Mini Shai-Hulud" has compromised multiple npm packages, including high-value TanStack developer tooling. The campaign appears to be an ongoing effort targeting critical npm infrastructure.
- Disclosed
- Last updated
- Blast radius
- Multiple high-value npm packages including TanStack ecosystem
- Ecosystems
- Attack vectors
- Affected entities
- TanStack ecosystem packagesMultiple packages targeted; specific versions not provided in available excerpt
- Other npm packagesReferenced as part of Mini Shai-Hulud campaign; specific names and versions not detailed
The Mini Shai-Hulud supply chain campaign has struck again, this time compromising multiple npm packages including those from the widely-used TanStack ecosystem. TanStack provides critical developer tooling that is relied upon by large segments of the JavaScript/TypeScript community.
This campaign represents a targeted attack on high-value packages within the npm ecosystem, seeking to distribute malicious code through popular dependencies. The use of the "Mini Shai-Hulud" campaign name suggests this is part of a coordinated, ongoing effort rather than an isolated incident.
The incident was reported by Wiz, a cloud security firm, on May 12, 2026. The blog post references detection and mitigation strategies for the malicious packages, indicating the threat was actively being tracked at the time of publication.
Indicators of compromise
- Packages
- tanstack
Remediation
- Identify and audit all npm dependencies from TanStack and associated packages in your supply chain
- Review package versions and compare against known-compromised versions from the Mini Shai-Hulud campaign
- Implement enhanced dependency scanning and monitoring for npm packages
- Follow Wiz's detection and mitigation guidance for compromised packages
- Consider pinning dependencies to known-safe versions pending patched releases
- Monitor npm registry and security advisories for updated threat information
Sources
Cite this entry
"Mini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed May 12, 2026; last updated June 7, 2026. https://supplychainattack.org/incident/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised-19yya2
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Malware in @doaction/auth
Malware discovered in the npm package @doaction/auth. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - containedcritical
Malware in @doaction/shared
Malware was discovered in the npm package @doaction/shared. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - containedcritical
Malware in transacts
The npm package transacts was found to contain malware, resulting in full system compromise of any computer with the package installed or running. All secrets and keys should be rotated immediately from a different computer, and the package should be removed.
npmCompromised package - containedcritical
Malware in buffer-utilities
Malware was discovered in the npm package buffer-utilities, resulting in full system compromise for any installation. The package should be removed immediately and all secrets and keys rotated from a clean system.
npmCompromised package