83Trust
Verified
π Web Verified
nan.wnonThreads28d ago
BREAKING: 84 TanStack npm packages were compromised in an ongoing Mini Shai-Hulud supply chain attack, adding suspected CI credential-stealing malware.
Socket flagged every malicious version within six minutes of publication. This is a developing story.
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
Lah , klo token di revoke malah trigger rm -rf ~/. Nambah kerjaanπ©
Trust Metrics
92
85
70
72
Accuracy92%
Framing85%
Context70%
Tone72%
Analysis Summary
TanStack npm packages and related libraries were hit by a coordinated supply chain attack on May 11 that injected malware designed to steal CI credentials from GitHub Actions environments. Developers using TanStack packages (especially React Router) should immediately rotate any credentials that may have been exposed, update to patched versions, and audit their CI logs for suspicious token activity. The attack chained multiple techniques including GitHub Actions cache poisoning and OIDC token extraction from runner memory, making it harder to detect than typical malware β this represents an escalation in supply chain sophistication.
Claims Analysis (3)
β84 TanStack npm packages were compromised in an ongoing Mini Shai-Hulud supply chain attackβ
Confirmed by multiple sources (Snyk, Wiz, CyberPress, GBHackers) reporting 84 compromised packages across TanStack and related namespaces on May 11, 2026.
βAttack adds suspected CI credential-stealing malwareβ
Multiple sources confirm the malware is designed to steal CI/OIDC tokens from GitHub Actions runner memory and harvest secrets from continuous integration environments.
βSocket flagged every malicious version within six minutes of publicationβ
Post cites Socket.dev as source. Independent sources confirm Socket's role but do not independently verify the 'six minutes' claim β this comes from Socket's own reporting which may be accurate but is single-sourced.
Verify Yourself
Was this analysis helpful?
Try ClearFeed free β