Mini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised | Wiz Blog

Wire Fire Episode 01. Six weeks of supply-chain compromise on the npm registry, ending on 12 May 2026 with the Shai-Hulud worm source going public. 31 March: state-sponsored operators (Microsoft Sapphire Sleet, Mandiant UNC1069) backdoor axios versions 1.14.1 and 0.30.4 for three hours, tagged latest; roughly 100 million weekly downloads. 29 April: Mini Shai-Hulud hits four SAP-related npm packages. 11 May 19:20 to 19:26 UTC: 84 versions across 42 TanStack packages, then @uipath, @mistralai/mistralai, OpenSearch, Guardrails AI; 172 packages and 403 versions inside 48 hours, ~518M cumulative downloads. 2025 alone: 454,648 malicious npm packages, more than 99 per cent of all open-source malware now targets npm. The architectural answer has been quietly available for decades.

Shell script to detect TanStack npm supply chain attack indicators (CVE-2026-45321 / GHSA-g7cv-rxg3-hmpx) - fabriziosalmi/tanstack-compromise-checker

Hunt.io analyzes the 13-file Python toolkit TeamPCP deploys after a supply chain compromise, documenting FIRESCALE, victim-hosted exfiltration, and infrastructure pivots that prior vendor reporting missed.

On supply chain attacks, the cost of trust, and why free software is not the same as safe software

Teardown of TeamPCP's offensive framework that was briefly published on GitHub, Reddit AMA on a career in physical penetration testing, the end of "opaque defense": AI makes understanding defensive tool implementations easy

Hundreds of packages across npm and PyPI have been compromised in a new Shai-Hulud supply-chain campaign delivering credential-stealing malware targeting developers.

Over 400 malicious versions of 170 packages were published as part of the new Mini Shai-Hulud campaign.

Top news and commentary for technology's leaders, from all around the web.